Sharing methods for project security handling in Java-javaTutorial-php.cn

Home

Java

javaTutorial

Sharing methods for project security handling in Java

黄舟

Sep 19, 2017 am 10:40 AM

javadeal withSafety

这篇文章主要介绍了Java项目安全处理方法，URL中参数显示,sql拼接问题,需要的朋友可以参考下

一、URL中参数显示问题，解决方案：

1、普通Get请求修改为Post请求

2、参数加密（js加密，Java解密）

二、Mybatis模糊查询中，sql拼接问题，解决方案方案：

1、使用安全的符号和方法，xml中拼接示例：

<if test="stateList != null">
  state in 
  <foreach close=")" collection="stateList" index="index" item="sta" open="(" separator=",">
    #{stateList[${index}]}
  </foreach>
</if>
<if test="title != null and title != &#39;&#39;">
    and title like concat(&#39;%&#39;,#{title},&#39;%&#39;) 
</if>

2、Java中转义特殊字符，Java中字符处理示例：

param = param.replace("%", "\\%");
param = param.replace("_", "\\_");
param = param.replace(",", "\\,");
param = param.replace("&#39;", "\\&#39;");
param = param.replace("/", "//");
param = param.replace("\\", \\\\);

三、文件上传安全问题

解决方案：判断文件名、请求ContentType和文件头内容。

文件头内容判断：

常见文件类型识别

常用文件的头信息： 
JPEG (jpg)，文件头：FFD8FFE1 
PNG (png)，文件头：89504E47 
GIF (gif)，文件头：47494638
TIFF (tif)，文件头：49492A00 
Windows Bitmap (bmp)，文件头：424D 
CAD (dwg)，文件头：41433130
Adobe Photoshop (psd)，文件头：38425053
Rich Text Format (rtf)，文件头：7B5C727466 
XML (xml)，文件头：3C3F786D6C 
HTML (html)，文件头：68746D6C3E 
Email [thorough only] (eml)，文件头：44656C69766572792D646174653A 
Outlook Express (dbx)，文件头：CFAD12FEC5FD746F 
Outlook (pst)，文件头：2142444E 
MS Word/Excel (xls.or.doc)，文件头：D0CF11E0 
MS Access (mdb)，文件头：5374616E64617264204A 
WordPerfect (wpd)，文件头：FF575043 
Postscript (eps.or.ps)，文件头：252150532D41646F6265 
Adobe Acrobat (pdf)，文件头：255044462D312E 
Quicken (qdf)，文件头：AC9EBD8F 
Windows Password (pwl)，文件头：E3828596 
ZIP Archive (zip)，文件头：504B0304 
RAR Archive (rar)，文件头：52617221
Wave (wav)，文件头：57415645
AVI (avi)，文件头：41564920
Real Audio (ram)，文件头：2E7261FD 
Real Media (rm)，文件头：2E524D46 
MPEG (mpg)，文件头：000001BA 
MPEG (mpg)，文件头：000001B3 
Quicktime (mov)，文件头：6D6F6F76 
Windows Media (asf)，文件头：3026B2758E66CF11 
MIDI (mid)，文件头：4D546864

java附件上传时后台验证上传文件的合法性

public static Map<string, string=""> mFileTypes = new HashMap<string, string="">();
static {
    // imagesFFD8FFE1
    mFileTypes.put("FFD8FFE1", ".jpg");
    mFileTypes.put("FFD8FFE0", ".jpg");
    mFileTypes.put("89504E47", ".png");
    mFileTypes.put("47494638", ".gif");
    mFileTypes.put("49492A00", ".tif");
    mFileTypes.put("424D", ".bmp");
    // 办公文档类
    mFileTypes.put("D0CF11E0", ".doc"); // ppt、doc、xls
    mFileTypes.put("504B0304", ".docx"); // pptx、docx、xlsx
    /** 注意由于文本文档录入内容过多，则读取文件头时较为多变-START **/
    mFileTypes.put("0D0A0D0A", ".txt"); // txt
    mFileTypes.put("0D0A2D2D", ".txt"); // txt
    mFileTypes.put("0D0AB4B4", ".txt"); // txt
    mFileTypes.put("B4B4BDA8", ".txt"); // 文件头部为汉字
    mFileTypes.put("73646673", ".txt"); // txt,文件头部为英文字母
    mFileTypes.put("32323232", ".txt"); // txt,文件头部内容为数字
    mFileTypes.put("0D0A09B4", ".txt"); // txt,文件头部内容为数字
    mFileTypes.put("3132330D", ".txt"); // txt,文件头部内容为数字
    /** 注意由于文本文档录入内容过多，则读取文件头时较为多变-END **/
    mFileTypes.put("25504446", ".pdf");
    mFileTypes.put("255044462D312E", ".pdf");
    // 压缩包
    mFileTypes.put("52617221", ".rar");
    mFileTypes.put("1F8B08", ".gz");
}
/**
    * 判断上传的文件是否合法
    * 
    * @param file
    *            文件
    * @param contentType
    *            是否指定类型
    * @param typeStr
    *            文件类型后缀名(.jpg,.png,.gif,.jpeg)
    * @return
    */
public Boolean checkFileIllegal(MultipartFile file, String fileName, String typeStr) {
    if (!file.isEmpty()) {
        if (StringUtils.isNotBlank(file.getContentType())) {
            String type = null;
            try {
                type = getFileType(file.getInputStream());
            } catch (IOException e) {
            logger.error("checkFileIllegal->getFileType->error:" + e.getMessage());
            return false;
        }
        if (null != type && -1 != typeStr.indexOf(type)) {
            int index = fileName.lastIndexOf(".");
            if (StringUtils.isNotBlank(fileName) && -1 != index) {
                String fileType = fileName.substring(index).toLowerCase();
                if (-1 != typeStr.indexOf(fileType)) {
                    return true;
                    }
                }
            }
        }
    }
    return false;
}
/**
 * 根据文件的输入流获取文件头信息
 * @return 文件头信息
 */
public static String getFileType(InputStream is) {
    byte[] b = new byte[4];
    if (is != null) {
        try {
            is.read(b, 0, b.length);
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
    return mFileTypes.get(getFileHeader(b));
}

总结

The above is the detailed content of Sharing methods for project security handling in Java. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

How do I use Maven or Gradle for advanced Java project management, build automation, and dependency resolution?Mar 17, 2025 pm 05:46 PM

The article discusses using Maven and Gradle for Java project management, build automation, and dependency resolution, comparing their approaches and optimization strategies.

How do I create and use custom Java libraries (JAR files) with proper versioning and dependency management?Mar 17, 2025 pm 05:45 PM

The article discusses creating and using custom Java libraries (JAR files) with proper versioning and dependency management, using tools like Maven and Gradle.

How do I implement multi-level caching in Java applications using libraries like Caffeine or Guava Cache?Mar 17, 2025 pm 05:44 PM

The article discusses implementing multi-level caching in Java using Caffeine and Guava Cache to enhance application performance. It covers setup, integration, and performance benefits, along with configuration and eviction policy management best pra

How can I use JPA (Java Persistence API) for object-relational mapping with advanced features like caching and lazy loading?Mar 17, 2025 pm 05:43 PM

The article discusses using JPA for object-relational mapping with advanced features like caching and lazy loading. It covers setup, entity mapping, and best practices for optimizing performance while highlighting potential pitfalls.[159 characters]

How does Java's classloading mechanism work, including different classloaders and their delegation models?Mar 17, 2025 pm 05:35 PM

Java's classloading involves loading, linking, and initializing classes using a hierarchical system with Bootstrap, Extension, and Application classloaders. The parent delegation model ensures core classes are loaded first, affecting custom class loa

See all articles