|
|
@@ -25,11 +25,15 @@ import java.util.regex.Pattern;
|
|
|
* @since 2021-08-15
|
|
|
*/
|
|
|
public class SqlInjectionUtils {
|
|
|
- // SQL语法检查正则:符合两个关键字(有先后顺序)才算匹配
|
|
|
- private static final Pattern sqlSyntaxPattern = Pattern.compile("(insert|delete|update|select|create|drop|truncate|grant|alter|deny|revoke|call|execute|exec|declare|show|rename|set)" +
|
|
|
+ /**
|
|
|
+ * SQL语法检查正则:符合两个关键字(有先后顺序)才算匹配
|
|
|
+ */
|
|
|
+ private static final Pattern SQL_SYNTAX_PATTERN = Pattern.compile("(insert|delete|update|select|create|drop|truncate|grant|alter|deny|revoke|call|execute|exec|declare|show|rename|set)" +
|
|
|
".+(into|from|set|where|table|database|view|index|on|cursor|procedure|trigger|for|password|union|and|or)", Pattern.CASE_INSENSITIVE);
|
|
|
- // 使用'、;或注释截断SQL检查正则
|
|
|
- private static final Pattern sqlCommentPattern = Pattern.compile("'.*(or|union|--|#|/*|;)", Pattern.CASE_INSENSITIVE);
|
|
|
+ /**
|
|
|
+ * 使用'、;或注释截断SQL检查正则
|
|
|
+ */
|
|
|
+ private static final Pattern SQL_COMMENT_PATTERN = Pattern.compile("'.*(or|union|--|#|/*|;)", Pattern.CASE_INSENSITIVE);
|
|
|
|
|
|
/**
|
|
|
* 检查参数是否存在 SQL 注入
|
|
|
@@ -39,14 +43,7 @@ public class SqlInjectionUtils {
|
|
|
*/
|
|
|
public static boolean check(String value) {
|
|
|
Objects.requireNonNull(value);
|
|
|
- // 处理是否包含SQL注释字符
|
|
|
- if (sqlCommentPattern.matcher(value).find()) {
|
|
|
- return true;
|
|
|
- }
|
|
|
- // 检查是否包含SQL注入敏感字符
|
|
|
- if (sqlSyntaxPattern.matcher(value).find()) {
|
|
|
- return true;
|
|
|
- }
|
|
|
- return false;
|
|
|
+ // 处理是否包含SQL注释字符 || 检查是否包含SQL注入敏感字符
|
|
|
+ return SQL_COMMENT_PATTERN.matcher(value).find() || SQL_SYNTAX_PATTERN.matcher(value).find();
|
|
|
}
|
|
|
}
|
XinLau