@Slf4jpublicclassSqlInjectionInterceptorextendsHandlerInterceptorAdapter {
privatestaticfinalStringREGEX="(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|"+"(\\b(or|and|select|union|ascii|substr|into|chr|mid|char|declare|count|exec|insert|drop|grant|alter|delete|update|master|truncate|execute)\\b)";
privatestaticfinalPatternPATTERN=Pattern.compile(REGEX, Pattern.CASE_INSENSITIVE);
@OverridepublicbooleanpreHandle(HttpServletRequestrequest, HttpServletResponseresponse, Objecthandler) throwsException {
Map<String, String[]>parameterMap=request.getParameterMap();
booleanhit=false;
StringtargetString=null;
for (Map.Entry<String, String[]>entry : parameterMap.entrySet()) {
String[] value=entry.getValue();
for (Strings : value) {
if (!StringUtils.isEmpty(s) &&PATTERN.matcher(s).find()) {
hit=true;
targetString=s;
break;
}
}
}
if (hit) {
log.error("Sql injection hit [{}] in [{}]", targetString, request.getRequestURL());
throwBAD_REQUEST.runtimeException("Param not support sql keys.");
}
returnsuper.preHandle(request, response, handler);
}
}