AntiSQLFilter Logo
english | portuguese
by SmartWare  
     HOW TO     

1. Classpath

The AntiSQLFilter jar file must be present at your web application classpath
(i.e.: [my-webapp directory | my war file]/WEB-INF/lib)

2. web.xml

Your web.xml file must configure AntiSQLFilter:



</filter-mapping> <listener>





About initial parameters:

a) logging = true - ServletContext log method will be called to register any SQL Injection attempt - like this:

Possible SQL injection attempt #1 at Mon Aug 29 20:17:03 BRT 2005
Remote Address:
Remote User: null
Session Id: B66B7EB264DB1FB67748B4B595D0395F
URI: /virtual-store/
Parameters via POST
  password = 567567567
  Submit = enter
  email = ' and 0=0; --

b) behavior = forward - the request will be forwarded by the filter to a specific resource in case of a SQL Injection. There are two other possible behaviors to configure

behavior = protect - (the default behavior) dangerous SQL keywords are 2nd character supressed / dangerous SQL delimitters are blank space replaced. Afterwards the request flows as expected.

behavior = throw - a ServletException is thrown - breaking the request flow.

c) forwardTo : the resource to forward to.

J2EE Filter issues:

a) We recommend you to configure AntiSQLFilter as the 1st application filter - Previous filters are able to bypass the filter chain avoiding AntiSQLFilter job.

b) You can configure as many <filter-mapping> elements you want for the same AntiSQLFilter <filter-name> element - that´s the way to catch request multiple resources patterns (*.jsp). Of course the /* url-pattern can be used.

4. Deploy

Deploy your web application as usual

5. Test

The following SQL delimiters / keywords are detected by AntiSQLFilter - use them in your regular URLs and HTML forms to test your configuration (watch your ServletContext log file):

  • ;
  • "
  • '
  • /*
  • */
  • --
  • exec
  • select
  • update
  • delete
  • insert
  • alter
  • drop
  • create
  • shutdown