这篇文章主要介绍了Java项目安全处理方法,URL中参数显示,sql拼接问题,需要的朋友可以参考下
一、URL中参数显示问题,解决方案:
1、普通Get请求修改为Post请求
2、参数加密(js加密,Java解密)
二、Mybatis模糊查询中,sql拼接问题,解决方案方案:
1、使用安全的符号和方法,xml中拼接示例:
<if test="stateList != null">
state in
<foreach close=")" collection="stateList" index="index" item="sta" open="(" separator=",">
#{stateList[${index}]}
</foreach>
</if>
<if test="title != null and title != ''">
and title like concat('%',#{title},'%')
</if>2、Java中转义特殊字符,Java中字符处理示例:
param = param.replace("%", "\\%");
param = param.replace("_", "\\_");
param = param.replace(",", "\\,");
param = param.replace("'", "\\'");
param = param.replace("/", "//");
param = param.replace("\\", \\\\);三、文件上传安全问题
解决方案:判断文件名、请求ContentType和文件头内容。
文件头内容判断:
常见文件类型识别
常用文件的头信息: JPEG (jpg),文件头:FFD8FFE1 PNG (png),文件头:89504E47 GIF (gif),文件头:47494638 TIFF (tif),文件头:49492A00 Windows Bitmap (bmp),文件头:424D CAD (dwg),文件头:41433130 Adobe Photoshop (psd),文件头:38425053 Rich Text Format (rtf),文件头:7B5C727466 XML (xml),文件头:3C3F786D6C HTML (html),文件头:68746D6C3E Email [thorough only] (eml),文件头:44656C69766572792D646174653A Outlook Express (dbx),文件头:CFAD12FEC5FD746F Outlook (pst),文件头:2142444E MS Word/Excel (xls.or.doc),文件头:D0CF11E0 MS Access (mdb),文件头:5374616E64617264204A WordPerfect (wpd),文件头:FF575043 Postscript (eps.or.ps),文件头:252150532D41646F6265 Adobe Acrobat (pdf),文件头:255044462D312E Quicken (qdf),文件头:AC9EBD8F Windows Password (pwl),文件头:E3828596 ZIP Archive (zip),文件头:504B0304 RAR Archive (rar),文件头:52617221 Wave (wav),文件头:57415645 AVI (avi),文件头:41564920 Real Audio (ram),文件头:2E7261FD Real Media (rm),文件头:2E524D46 MPEG (mpg),文件头:000001BA MPEG (mpg),文件头:000001B3 Quicktime (mov),文件头:6D6F6F76 Windows Media (asf),文件头:3026B2758E66CF11 MIDI (mid),文件头:4D546864
java附件上传时后台验证上传文件的合法性
public static Map<string, string=""> mFileTypes = new HashMap<string, string="">();
static {
// imagesFFD8FFE1
mFileTypes.put("FFD8FFE1", ".jpg");
mFileTypes.put("FFD8FFE0", ".jpg");
mFileTypes.put("89504E47", ".png");
mFileTypes.put("47494638", ".gif");
mFileTypes.put("49492A00", ".tif");
mFileTypes.put("424D", ".bmp");
// 办公文档类
mFileTypes.put("D0CF11E0", ".doc"); // ppt、doc、xls
mFileTypes.put("504B0304", ".docx"); // pptx、docx、xlsx
/** 注意由于文本文档录入内容过多,则读取文件头时较为多变-START **/
mFileTypes.put("0D0A0D0A", ".txt"); // txt
mFileTypes.put("0D0A2D2D", ".txt"); // txt
mFileTypes.put("0D0AB4B4", ".txt"); // txt
mFileTypes.put("B4B4BDA8", ".txt"); // 文件头部为汉字
mFileTypes.put("73646673", ".txt"); // txt,文件头部为英文字母
mFileTypes.put("32323232", ".txt"); // txt,文件头部内容为数字
mFileTypes.put("0D0A09B4", ".txt"); // txt,文件头部内容为数字
mFileTypes.put("3132330D", ".txt"); // txt,文件头部内容为数字
/** 注意由于文本文档录入内容过多,则读取文件头时较为多变-END **/
mFileTypes.put("25504446", ".pdf");
mFileTypes.put("255044462D312E", ".pdf");
// 压缩包
mFileTypes.put("52617221", ".rar");
mFileTypes.put("1F8B08", ".gz");
}
/**
* 判断上传的文件是否合法
*
* @param file
* 文件
* @param contentType
* 是否指定类型
* @param typeStr
* 文件类型后缀名(.jpg,.png,.gif,.jpeg)
* @return
*/
public Boolean checkFileIllegal(MultipartFile file, String fileName, String typeStr) {
if (!file.isEmpty()) {
if (StringUtils.isNotBlank(file.getContentType())) {
String type = null;
try {
type = getFileType(file.getInputStream());
} catch (IOException e) {
logger.error("checkFileIllegal->getFileType->error:" + e.getMessage());
return false;
}
if (null != type && -1 != typeStr.indexOf(type)) {
int index = fileName.lastIndexOf(".");
if (StringUtils.isNotBlank(fileName) && -1 != index) {
String fileType = fileName.substring(index).toLowerCase();
if (-1 != typeStr.indexOf(fileType)) {
return true;
}
}
}
}
}
return false;
}
/**
* 根据文件的输入流获取文件头信息
* @return 文件头信息
*/
public static String getFileType(InputStream is) {
byte[] b = new byte[4];
if (is != null) {
try {
is.read(b, 0, b.length);
} catch (IOException e) {
e.printStackTrace();
}
}
return mFileTypes.get(getFileHeader(b));
}总结
The above is the detailed content of Sharing methods for project security handling in Java. For more information, please follow other related articles on the PHP Chinese website!
How does IntelliJ IDEA identify the port number of a Spring Boot project without outputting a log?Apr 19, 2025 pm 11:45 PMStart Spring using IntelliJIDEAUltimate version...
How to elegantly obtain entity class variable names to build database query conditions?Apr 19, 2025 pm 11:42 PMWhen using MyBatis-Plus or other ORM frameworks for database operations, it is often necessary to construct query conditions based on the attribute name of the entity class. If you manually every time...
Java BigDecimal operation: How to accurately control the accuracy of calculation results?Apr 19, 2025 pm 11:39 PMJava...
How to use the Redis cache solution to efficiently realize the requirements of product ranking list?Apr 19, 2025 pm 11:36 PMHow does the Redis caching solution realize the requirements of product ranking list? During the development process, we often need to deal with the requirements of rankings, such as displaying a...
How to safely convert Java objects to arrays?Apr 19, 2025 pm 11:33 PMConversion of Java Objects and Arrays: In-depth discussion of the risks and correct methods of cast type conversion Many Java beginners will encounter the conversion of an object into an array...
How do I convert names to numbers to implement sorting and maintain consistency in groups?Apr 19, 2025 pm 11:30 PMSolutions to convert names to numbers to implement sorting In many application scenarios, users may need to sort in groups, especially in one...
E-commerce platform SKU and SPU database design: How to take into account both user-defined attributes and attributeless products?Apr 19, 2025 pm 11:27 PMDetailed explanation of the design of SKU and SPU tables on e-commerce platforms This article will discuss the database design issues of SKU and SPU in e-commerce platforms, especially how to deal with user-defined sales...
How to set the default run configuration list of SpringBoot projects in Idea for team members to share?Apr 19, 2025 pm 11:24 PMHow to set the SpringBoot project default run configuration list in Idea using IntelliJ...
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft
SublimeText3 Mac version
God-level code editing software (SublimeText3)
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
Dreamweaver Mac version
Visual web development tools
