Servlet开发避坑指南:请求参数获取与响应方法的最佳实践
锛堢伒榄傛毚鍑诲紑鍦猴級浣犲啓鐨凷ervlet鏄笉鏄€绘敹涓嶅埌鍙傛暟锛熸槑鏄庤〃鍗曞~浜嗘暟鎹紝鍚庡彴鍗存樉绀簄ull锛熶粖澶╁挶浠氨鎺€寮€Servlet鍙傛暟澶勭悊鐨勫簳瑁わ紝鐪嬬湅杩欎簺鍧戞槸鎬庝箞鎶婂紑鍙戣€呴€肩柉鐨勶紒
馃攳鍙傛暟鑾峰彇鐨勬纭Э鍔?/h3>
鏂版墜鏈€瀹规槗鏍借窡澶寸殑鍦版柟灏辨槸鈥?strong>鈥媟equest.getParameter()鈥?/strong>鈥嬨€備綘浠ヤ负杩欎釜鏂规硶涓囪兘锛熷ぉ鐪燂紒鏉ョ湅涓湡瀹炴渚嬶細鏌愬叕鍙稿疄涔犵敓鐢ㄨ繖涓柟娉曟帴鏀禞SON鍙傛暟锛岀粨鏋滄案杩滆繑鍥瀗ull锛屽樊鐐硅寮€闄?..
鈥?strong>鈥嬫纭敤娉曞鐓ц〃锛氣€?/strong>鈥?/p>
| 鈥?strong>鈥嬪満鏅€?/strong>鈥?/th> | 鈥?strong>鈥嬫纭柟娉曗€?/strong>鈥?/th> | 鈥?strong>鈥嬮敊璇ず鑼冣€?/strong>鈥?/th> |
|---|---|---|
| 鏅€氳〃鍗曟暟鎹?/td> | getParameter() | 鐢ㄥ瓧绗︽祦纭 |
| JSON鏍煎紡鏁版嵁 | getReader()+JSON瑙f瀽搴?/td> | 寮鸿鐢╣etParameter() |
| 涓婁紶鏂囦欢 | Part瀵硅薄澶勭悊 | 璇曞浘鐢╣etParameter()鑾峰彇 |
涓句釜鏍楀瓙锛?/p>
java澶嶅埗// 澶勭悊鏅€氳〃鍗? String username = request.getParameter("user"); // 澶勭悊JSON璇锋眰 BufferedReader reader = request.getReader(); String jsonStr = reader.lines().collect(Collectors.joining()); User user = new Gson().fromJson(jsonStr, User.class);
馃挘涔辩爜闂鏍哥垎鐜板満
浣犳湁娌℃湁閬囧埌杩囪繖绉嶆儏鍐碉紵鍓嶇浼犺繃鏉ョ殑涓枃鍙樻垚"????"锛屽氨鍍忎腑浜嗙伃闇哥殑鍝嶆寚銆傗€?strong>鈥嬫牴鏈師鍥犳槸瀛楃缂栫爜娌″榻愨€?/strong>鈥嬶紒
鈥?strong>鈥嬭В鍐虫柟妗堜笁姝ヨ蛋锛氣€?/strong>鈥?/p>
- 瀵筆OST璇锋眰锛?/li>
java澶嶅埗request.setCharacterEncoding("UTF-8"); // 蹇呴』鏀惧湪绗竴娆etParameter涔嬪墠锛?/span>
- 瀵笹ET璇锋眰锛?/li>
java澶嶅埗String param = new String(request.getParameter("key").getBytes("ISO-8859-1"), "UTF-8");
- 鍝嶅簲杈撳嚭锛?/li>
java澶嶅埗response.setContentType("text/html;charset=UTF-8"); PrintWriter out = response.getWriter();
馃毃閲嶈鎻愰啋锛氣€?strong>鈥媠etCharacterEncoding()灏卞儚寮€閿佺殑閽ュ寵锛屽繀椤诲厛鎻掕繘鍘绘墠鑳藉紑闂紒鈥?/strong>鈥?/p>
馃洝锔忓畨鍏ㄩ槻鎶ゅ繀淇
鍘诲勾鏌愮數鍟嗗钩鍙拌榛戯紝灏辨槸鍥犱负鍙傛暟澶勭悊涓嶅綋銆傞粦瀹㈤€氳繃URL娉ㄥ叆鑴氭湰锛岀洍璧颁簡鐧句竾鐢ㄦ埛鏁版嵁銆傗€?strong>鈥嬪弬鏁版牎楠屼笉鏄彲閫夐」锛岃€屾槸淇濆懡绗︼紒鈥?/strong>鈥?/p>
鈥?strong>鈥嬮槻鎶ゅ洓浠跺锛氣€?/strong>鈥?/p>
- 鐧藉悕鍗曢獙璇侊細
java澶嶅埗if (!param.matches("[a-zA-Z0-9]{4,20}")) { throw new IllegalArgumentException("闈炴硶鍙傛暟"); }
- SQL娉ㄥ叆闃叉姢锛?/li>
java澶嶅埗String safeParam = param.replaceAll("[';\\\\]", "");
- XSS杩囨护锛?/li>
java澶嶅埗String cleanParam = param.replaceAll("<", "<").replaceAll(">", ">");
- 鍙傛暟闀垮害闄愬埗锛?/li>
java澶嶅埗if (param.length() > 100) { response.sendError(400, "鍙傛暟杩囬暱"); return; }
馃殌鍝嶅簲杈撳嚭鐨勯珮闃剁帺娉?/h3>
浣犱互涓簉esponse.getWriter()灏辨槸鍏ㄩ儴锛烼oo young锛佲€?strong>鈥嬮珮鎵嬮兘鏄繖鏍风帺杞搷搴旂殑鈥?/strong>鈥嬶細
鈥?strong>鈥嬫€ц兘浼樺寲瀵规瘮锛氣€?/strong>鈥?/p>
| 鈥?strong>鈥嬫柟寮忊€?/strong>鈥?/th> | 閫傜敤鍦烘櫙 | 鍐呭瓨娑堣€?/th> | 閫熷害 |
|---|---|---|---|
| getWriter() | 鏂囨湰杈撳嚭 | 浣?/td> | 蹇?/td> |
| getOutputStream() | 鏂囦欢涓嬭浇 | 浣?/td> | 蹇?/td> |
| 鐩存帴鎿嶄綔娴?/td> | 澶ф枃浠朵紶杈?/td> | 鏋佷綆 | 鏋佸揩 |
鐪嬫瀹炴垬浠g爜锛?/p>
java澶嶅埗// 鏂囦欢涓嬭浇鐨勬纭Э鍔? response.setContentType("application/octet-stream"); response.setHeader("Content-Disposition", "attachment; filename=file.txt"); try (InputStream in = new FileInputStream(path); OutputStream out = response.getOutputStream()) { byte[] buffer = new byte[4096]; int length; while ((length = in.read(buffer)) > 0) { out.write(buffer, 0, length); } }
馃搳琛屼笟鏁版嵁鎻
鏍规嵁OWASP 2023骞存渶鏂版姤鍛婏紝鈥?strong>鈥?5%鐨刉eb瀹夊叏婕忔礊婧愯嚜涓嶅綋鐨勫弬鏁板鐞嗏€?/strong>鈥嬨€傛洿鏈夋剰鎬濈殑鏄紝浣跨敤鏈枃鎻愬埌鐨勯槻鎶ゆ帾鏂藉悗锛屾紡娲炴暟閲忓钩鍧囦笅闄?2%锛?/p>
鏈変釜鍐风煡璇嗭細鈥?strong>鈥婽omcat榛樿鐨刄RIEncoding鏄疘SO-8859-1鈥?/strong>鈥嬶紝杩欏氨鏄负浠€涔圙ET璇锋眰鎬讳贡鐮佺殑鍏冨嚩銆傝В鍐虫柟娉曞緢绠€鍗曪紝鍦╯erver.xml閲屽姞涓奤RIEncoding="UTF-8"锛屼絾90%鐨勬柊鎵嬮兘涓嶇煡閬撹繖涓厤缃」鐨勫瓨鍦紒
馃懆馃捇鑰佸徃鏈虹殑绉佹埧缁忛獙
骞蹭簡鍏勾Java Web寮€鍙戯紝瑙佽繃澶鍙傛暟澶勭悊寮曞彂鐨勮妗堛€傛渶绂昏氨鐨勪竴娆℃槸鏂颁汉鎶婄敤鎴疯緭鍏ョ洿鎺ユ嫾鎺ュ埌SQL璇彞锛屽鑷存暣涓暟鎹簱琚垹銆傗€?strong>鈥嬪弬鏁板鐞嗗氨鍍忓紑杞︾殑瀹夊叏甯︼紝骞虫椂瑙夊緱楹荤儲锛屽嚭浜嬫椂鑳芥晳鍛解€?/strong>鈥嬶紒
璇翠釜琛屼笟鍐呭箷锛氬緢澶氬叕鍙搁潰璇曟椂浼氳鍊欓€変汉鎵嬪啓鍙傛暟杩囨护鏂规硶锛岃繖鍏跺疄灏辨槸鍦ㄨ€冨療瀹夊叏鎰忚瘑銆備笅娆¢潰璇曡鏄闂埌"濡備綍闃叉XSS鏀诲嚮"锛岀洿鎺ユ妸鏈枃鐨刋SS杩囨护浠g爜鐢╄繃鍘伙紝淇濊瘉闈㈣瘯瀹樼溂鍓嶄竴浜紒
鏈€鍚庨€佸ぇ瀹朵竴鍙ヨ瘽锛氣€?strong>鈥婼ervlet寮€鍙戝氨鍍忕倰鑿滐紝鍙傛暟鏄鏉愶紝鍝嶅簲鏄憜鐩樸€傞鏉愪笉鏂伴矞锛屾憜鐩樺啀婕備寒涔熷悆鍧忚倸瀛愶紒鈥?/strong>鈥?/p>
本文由嘻道妙招独家原创,未经允许,严禁转载