防止sql注入过滤器

import java.io.IOException;  import java.util.Iterator;  import javax.servlet.Filter;  import javax.servlet.FilterChain;  import javax.servlet.FilterConfig;  import javax.servlet.ServletException;  import javax.servlet.ServletRequest;  import javax.servlet.ServletResponse;  import javax.servlet.http.HttpServletRequest;  import javax.servlet.http.HttpServletResponse;  /** * 通过Filter过滤器来防SQL注入攻击 * */ public class SQLFilter implements Filter {  private String inj_str = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|; |or|-|+|,";  protected FilterConfig filterConfig = null;  /** * Should a character encoding specified by the client be ignored? */ protected boolean ignore = true;  public void init(FilterConfig config) throws ServletException {  this.filterConfig = config;  this.inj_str = filterConfig.getInitParameter("keywords");  }  public void doFilter(ServletRequest request, ServletResponse response,  FilterChain chain) throws IOException, ServletException {  HttpServletRequest req = (HttpServletRequest)request;  HttpServletResponse res = (HttpServletResponse)response;  Iterator values = req.getParameterMap().values().iterator();//获取所有的表单参数 while(values.hasNext()){  String[] value = (String[])values.next();  for(int i = 0;i < value.length;i++){  if(sql_inj(value[i])){  //TODO这里发现sql注入代码的业务逻辑代码 return;  }  }  }  chain.doFilter(request, response);  }  public boolean sql_inj(String str)  {  String[] inj_stra=inj_str.split("\\|");  for (int i=0 ; i < inj_stra.length ; i++ )  {  if (str.indexOf(" "+inj_stra[i]+" ")>=0)  {  return true;  }  }  return false;  }  }