java 过滤敏感词和特殊字符 防止sql注入

前一段时间，被告知公司主页有可靠可以sql注入，网上搜索一遍，查询有没有之类的东东
开始想一起过滤敏感词语和特殊字符，感觉没有什么好的方法，
所以借鉴了网上部分思路，所以就写了过滤的方法，总体分2步走，
一是过滤敏感词语，我目前能想到的就这么多，可以自己加
二是过滤特殊字符
代码如下：

String sqlValidate(String str) {
         String str2 = str.toLowerCase();//统一转为小写
         String[] SqlStr1 = {"and","exec","execute","insert","select","delete","update","count","drop","chr","mid","master","truncate","char","declare","sitename","net user","xp_cmdshell","like","and","exec","execute","insert","create","drop","table","from","grant","use","group_concat","column_name","information_schema.columns","table_schema","union","where","select","delete","update","order","by","count","chr","mid","master","truncate","char","declare","or"};//词语
   String[] SqlStr2 = {"*","'",";","or","-","--","+","//","/","%","#"};//特殊字符
   
        for (int i = 0; i < SqlStr1.length; i++) {
             if (str2.indexOf(SqlStr1[i])>=0) {
                 str = str.replaceAll("(?i)"+SqlStr1[i],"");//正则替换词语，无视大小写
             }
         }
         for (int i = 0; i < SqlStr2.length; i++) {
             if (str2.indexOf(SqlStr2[i]) >= 0) {
                 str = str.replaceAll(SqlStr2[i],"");
             }
         }
         
         return str;
         
     }