![](/img/trans.png)
[英]for xss attack prevention do i use prepared statement or callable statement
[英]Using (.matches) boolean statement prevents XSS attack?
我使用下面提到的布爾語句來了解我從輸入框中獲取的字符串是否包含任何特殊字符。 我想知道這是防止XSS攻擊的好方法,可以繞過此過濾器嗎?
!id.matches(".*[%#^<>&;'\0-].*")
這是完整的代碼
package pack.java;
import pack.java.findrequestmodel;
import java.io.*;
import java.lang.*;
import org.apache.commons.lang.StringEscapeUtils;
import java.sql.*;
import javax.servlet.*;
import javax.servlet.http.*;
import javax.servlet.jsp.*;
import javax.servlet.jsp.tagext.*;
public class findrequestcontrol extends TagSupport
{
HttpServletRequest request;
HttpServletResponse response;
public int doStartTag() throws JspException
{
request = (HttpServletRequest) pageContext.getRequest();
response = (HttpServletResponse) pageContext.getResponse();
return EVAL_PAGE;
}
public ResultSet check()
{
JspWriter out = pageContext.getOut();
Connection con;
ResultSet rs = null;
CallableStatement stmt;
String checkreq = "";
String reqnum = (String) findrequestmodel.requestno.trim();
try
{
Class.forName("oracle.jdbc.driver.OracleDriver");
}
catch (ClassNotFoundException ex)
{
}
try
{
if (!reqnum.matches(".*[%#^<>&;'\0-].*") )
{
con = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:XE","gaurav","oracle");
stmt=con.prepareCall("begin requestdetail(?); end;");
stmt.setString(1,reqnum);
rs=stmt.executeQuery();
}
else
out.println("Invalid Number");
}
catch(SQLException ex)
{
}
catch(Exception ex)
{
}
return rs;
}
public int doEndTag() throws JspException
{
JspWriter out=pageContext.getOut();
ResultSet rs=check();
try
{
if (!rs.next())
{
out.println("no data found");
}
else
{
out.println("<table border=2>");
out.println("<tr>");
out.println("<th>EmployeId</th>");
out.println("</tr>");
do
{
out.println("<tr>");
out.println("<td>"+rs.getString(1)+"</td>");
out.println("</tr>");
} while (rs.next());
}
}
catch(Exception ex)
{
}
return super.doEndTag();
}
}
下面是jsp頁面,在此輸入了字符串,並在提交時將重定向到另一個調用了tag的頁面。
<html>
<head>
</head>
<body>
<form method=post>
<input type=text style="color:grey" name=reqno </br>
<input type = submit name = submit value = Submit>
<%
String r=request.getParameter("reqno");
String btn=request.getParameter("submit");
HttpSession session1=request.getSession();
session1.setAttribute("requestno",r);
if (btn != null)
response.sendRedirect("findrequest1.jsp");
%>
</form>
</body>
</html>
在這里標簽被調用
<jsp:useBean id="MrBean" class="pack.java.findrequestmodel"/>
<jsp:setProperty name="MrBean" property="requestno" value=""/>
<%@ taglib uri="/WEB-INF/jsp2/taglib8.tld" prefix="easy" %>
<html>
<head>
<body>
<form method=post>
<input type = submit name = submit value = Back>
<%
HttpSession mysession = request.getSession();
String req = (String) mysession.getAttribute("requestno");
MrBean.setRequestno(req);
String btn = request.getParameter("submit");
if (btn != null)
response.sendRedirect("findrequest.jsp");
%>
<easy:myTag8/>
</form>
</body>
</html>
實際上,您想要的是使用特殊字符防止XSS攻擊。 因此,您實際上不必關心字符串中存在的字符。 您只需使用與PHP中的htmlspecialchars()
相同目的的函數對它們進行數據庫操作之前就必須對它們進行htmlspecialchars()
。
顯然,這種轉換也可以用Java完成。
String source = "Escape the less than sign (<) and ampersand (&)";
String escaped = StringEscapeUtils.escapeHtml(source);
// Will output "Escape the less than sign (<) and ampersand (&)"
String escaped = StringUtils.replaceEach(source, new String[]{"&", "<"}, new String[]{"&", "<"});
編輯:
以您的示例為例,您將必須在變量reqnum
中對特殊字符進行reqnum
因為您將在SQL請求中使用它:
String checkreq="";
String reqnum=(String)findrequestmodel.requestno.trim();
reqnum = StringEscapeUtils.escapeHtml(reqnum); // Espace special characters
// ... skipped code ...
rs=stmt.executeQuery(" select * from myadmin where reference_no='"+reqnum+"'"); // Safe
替代(更好)的解決方案
您不應該自己處理此問題,而應使用稱為PreparedStatement的東西(可以為您完成)以及其他有用的東西。
服務器端代碼:
<input type="text" name="something" value="<%= something %>">
攻擊:
" onfocus=alert(1) autofocus b=
結果:
<input type="text" name="something" value="" onfocus=alert(1) autofocus b=">
輸入驗證不太可能阻止所有XSS攻擊。 專注於輸出轉義: https : //www.owasp.org/index.php/XSS_( Cross_Site_Scripting) _Prevention_Cheat_Sheet
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.