java 过滤器filter防sql注入的实现代码

public void doFilter(ServletRequest servletrequest,			ServletResponse servletresponse, FilterChain filterchain)			throws IOException, ServletException {				//flag = true 只做URL验证; flag = false 做所有字段的验证;		boolean flag = true;		if(flag){			//只对URL做xss校验			HttpServletRequest httpServletRequest = (HttpServletRequest) servletrequest;			HttpServletResponse httpServletResponse = (HttpServletResponse) servletresponse;						String requesturi = httpServletRequest.getRequestURL().toString();			requesturi = URLDecoder.decode(requesturi, "UTF-8");			if(requesturi!=null&&requesturi.indexOf("alipay_hotel_book_return.html")!=-1){				filterchain.doFilter(servletrequest, servletresponse);				return;			}			if(requesturi!=null&&requesturi.indexOf("account_bank_return.html")!=-1){				filterchain.doFilter(servletrequest, servletresponse);				return;			}			if(requesturi!=null&&requesturi.indexOf("/alipay/activity.html")!=-1){				filterchain.doFilter(servletrequest, servletresponse);				return ;			}			if(requesturi!=null&&requesturi.indexOf("/alipayLogin.html")!=-1){				filterchain.doFilter(servletrequest, servletresponse);				return ;			}			RequestWrapper rw = new RequestWrapper(httpServletRequest);			String param = httpServletRequest.getQueryString();			if(!"".equals(param) && param != null) {				param = URLDecoder.decode(param, "UTF-8");				String originalurl = requesturi + param;								String sqlParam = param;				//添加sql注入的判断				if(requesturi.endsWith("/askQuestion.html") || requesturi.endsWith("/member/answer.html")){					sqlParam = rw.cleanSQLInject(param);				}								String xssParam = rw.cleanXSS(sqlParam);				requesturi += "?"+xssParam;												if(!xssParam.equals(param)){					System.out.println("requesturi::::::"+requesturi);					httpServletResponse.sendRedirect(requesturi);					System.out.println("no entered.");//					filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);					return ;				}			}			filterchain.doFilter(servletrequest, servletresponse);		}else{						//对请求中的所有东西都做校验，包括表单。此功能校验比较严格容易屏蔽表单正常输入，使用此功能请注意。			filterchain.doFilter(new RequestWrapper((HttpServletRequest) servletrequest), servletresponse);		}	}requestMapping: public RequestWrapper(){		super(null);	}	public RequestWrapper(HttpServletRequest httpservletrequest) {		super(httpservletrequest);	}	public String[] getParameterValues(String s) {		String str[] = super.getParameterValues(s);		if (str == null) {			return null;		}		int i = str.length;		String as1[] = new String[i];		for (int j = 0; j < i; j++) {			as1[j] = cleanXSS(cleanSQLInject(str[j]));		}		return as1;	}	public String getParameter(String s) {		String s1 = super.getParameter(s);		if (s1 == null) {			return null;		} else {			return cleanXSS(cleanSQLInject(s1));		}	}	public String getHeader(String s) {		String s1 = super.getHeader(s);		if (s1 == null) {			return null;		} else {			return cleanXSS(cleanSQLInject(s1));		}	}	public String cleanXSS(String src) {		String temp =src;		System.out.println("xss---temp-->"+src);    src = src.replaceAll("<", "<").replaceAll(">", ">");    // if (src.indexOf("address")==-1)	//	{     src = src.replaceAll("//(", "(").replaceAll("//)", ")");		//}       src = src.replaceAll("'", "'");        Pattern pattern=Pattern.compile("(eval//((.*)//)|script)",Pattern.CASE_INSENSITIVE);  	  Matcher matcher=pattern.matcher(src);  	  src = matcher.replaceAll("");	  pattern=Pattern.compile("[///"//'][//s]*javascript:(.*)[///"//']",Pattern.CASE_INSENSITIVE); 	  matcher=pattern.matcher(src);	  src = matcher.replaceAll("/"/"");	  	  //增加脚本 	  src = src.replaceAll("script", "").replaceAll(";", "")	  	.replaceAll("/"", "").replaceAll("@", "")	  	.replaceAll("0x0d", "")	  	.replaceAll("0x0a", "").replaceAll(",", "");		if(!temp.equals(src)){			System.out.println("输入信息存在xss攻击！");			System.out.println("原始输入信息-->"+temp);			System.out.println("处理后信息-->"+src);		}		return src;	}		//需要增加通配，过滤大小写组合	public String cleanSQLInject(String src) {		String temp =src;    src = src.replaceAll("insert", "forbidI")    	.replaceAll("select", "forbidS")    	.replaceAll("update", "forbidU")    	.replaceAll("delete", "forbidD")    	.replaceAll("and", "forbidA")    	.replaceAll("or", "forbidO");    		if(!temp.equals(src)){			System.out.println("输入信息存在SQL攻击！");			System.out.println("原始输入信息-->"+temp);			System.out.println("处理后信息-->"+src);		}		return src;	}

<filter>		<filter-name>XssFilter</filter-name>		<filter-class>cn.com.jsoft.xss.XSSFilter</filter-class>		<init-param>			<param-name>encoding</param-name>			<param-value>UTF-8</param-value>		</init-param>	</filter>	<filter-mapping>		<filter-name>XssFilter</filter-name>		<url-pattern>/*</url-pattern>	</filter-mapping>