-
Notifications
You must be signed in to change notification settings - Fork 1
/
SqlCheckUtil.java
50 lines (43 loc) · 1.46 KB
/
SqlCheckUtil.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
package com.ljq.demo.util;
import java.util.regex.Pattern;
/**
* @Description: sql 校验工具
* @Author: junqiang.lu
* @Date: 2018/11/28
*/
public class SqlCheckUtil {
/**
* sql 最大长度
*/
private static final int MAX_SQL_LENGTH = 1024 * 1024;
private SqlCheckUtil(){}
/**
* 获取安全 sql 语句(防止 sql 注入)
* 返回为空(null)的情况:
* 1) sql 语句为空
* 2) sql 语句中包含可能产生 sql 注入风险的关键词
*
* @param sql sql 语句
* @return null or safe sql
* @throws Exception 当 sql 语句长度超过 ${MAX_SQL_LENGTH} 字符时抛出异常
*/
public static String getSafeSQL(String sql) throws Exception {
if (sql == null || sql.length() <= 0) {
return null;
}
if (sql.length() > MAX_SQL_LENGTH) {
throw new Exception("Query string is too long,it must be less than 1048576 = 1024*1024.");
}
/**
* 防止 sql 注入
*/
String sqlRegex = "(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|"
+ "(\\b(select|update|union|and|or|delete|insert|trancate|char|"
+ "into|substr|ascii|declare|exec|count|master|into|drop|execute)\\b)";
Pattern sqlPattern = Pattern.compile(sqlRegex, Pattern.CASE_INSENSITIVE);
if (sqlPattern.matcher(sql).find()) {
return null;
}
return sql;
}
}