在过滤器中判断URL是否被注入

巩固知识：

//获取来源URL：
String fromURL = request.getHeader("Referer"); 

// /ssm/ser.do 
String url = request.getRequestURI();    

// http://localhost:8080/ssm/ser.do  
StringBuffer url_buffer = request.getRequestURL(); 

//常用的request头信息
    out.println("Protocol: " + request.getProtocol());   
    out.println("Scheme: " + request.getScheme());   
    out.println("Server Name: " + request.getServerName() );   
    out.println("Server Port: " + request.getServerPort());   
    out.println("Protocol: " + request.getProtocol());   
    out.println("Server Info: " + getServletConfig().getServletContext().getServerInfo());   
    out.println("Remote Addr: " + request.getRemoteAddr());   
    out.println("Remote Host: " + request.getRemoteHost());   
    out.println("Character Encoding: " + request.getCharacterEncoding());   
    out.println("Content Length: " + request.getContentLength());   
    out.println("Content Type: "+ request.getContentType());   
    out.println("Auth Type: " + request.getAuthType());   
    out.println("HTTP Method: " + request.getMethod());   
    out.println("Path Info: " + request.getPathInfo());   
    out.println("Path Trans: " + request.getPathTranslated());   
    out.println("Query String: " + request.getQueryString());   
    out.println("Remote User: " + request.getRemoteUser());   
    out.println("Session Id: " + request.getRequestedSessionId());   
    out.println("Request URI: " + request.getRequestURI());   
    out.println("Servlet Path: " + request.getServletPath());   
    out.println("Accept: " + request.getHeader("Accept"));   
    out.println("Host: " + request.getHeader("Host"));   
    out.println("Referer : " + request.getHeader("Referer"));   
    out.println("Accept-Language : " + request.getHeader("Accept-Language"));   
    out.println("Accept-Encoding : " + request.getHeader("Accept-Encoding"));   
    out.println("User-Agent : " + request.getHeader("User-Agent"));   
    out.println("Connection : " + request.getHeader("Connection"));   
    out.println("Cookie : " + request.getHeader("Cookie"));   
    out.println("Created : " + session.getCreationTime());   
    out.println("LastAccessed : " + session.getLastAccessedTime());  

***********************************************
web.xml

<filter>
        <filter-name>URLFilter</filter-name>  
        <filter-class>com.shctc.util.URLFilter</filter-class>
        <init-param>
  		<param-name>sqlInj</param-name>
  		<param-value>java|String|and|exec|insert|select|delete|update|*|chr|mid|master|truncate|char|declare|;|-|+|,</param-value>
  	  </init-param>
    </filter>
    <filter-mapping>  
        <filter-name>URLFilter</filter-name>  
        <url-pattern>*.action</url-pattern>
    </filter-mapping>

Filter

public class URLFilter implements Filter{
	
	private static final long serialVersionUID = 12345L;

	Logger log =Logger.getLogger(URLFilter.class);
	private FilterConfig config=null;
	private String sqlInj="";
	
	public void init(FilterConfig config) throws ServletException{
		this.config=config;
		log.debug("FilterConfig:"+config);
		sqlInj=config.getInitParameter("sqlInj");
	}
	
	public void doFilter(ServletRequest request, ServletResponse response,
			FilterChain chain) throws IOException, ServletException{
		HttpServletRequest req = (HttpServletRequest) request;
		HttpServletResponse resp = (HttpServletResponse) response;
		String UserIP = request.getRemoteAddr();
		String requestURL = req.getRequestURL()+ req.getQueryString();
		log.debug("******请求用户来源:"+req.getHeader("Referer"));
		log.debug("******请求用户IP地址:"+UserIP);
		log.debug("******请求URL:"+requestURL);
		
		String[] inj_stra=sqlInj.split("\\|"); 
		for (int i=0; i < inj_stra.length; i++){
			if (requestURL.indexOf(inj_stra[i])>=0){  
				log.debug("******返回主页了,因为请求URL中含有敏感字符:"+inj_stra[i]);
				resp.sendRedirect("page/index.action");
			    return;
			}
		}
		
		//如果存在下一个dofilter方法，则调用下一个过滤器的dofilter方法；否则一直停在这
		chain.doFilter(request, response);
	}
	
	public void destroy(){
		config=null;
	}