MySQL_(Java)使用preparestatement解决SQL注入的问题

 

 

  MySQL_(Java)使用JDBC向数据库发起查询请求  传送门

  MySQL_(Java)使用JDBC创建用户名和密码校验查询方法  传送门

 

  MySQL数据库中的数据,数据库名garysql,表名garytb,数据库中存在的用户表

  

 

  存在SQL注入问题

 

  使用preparestatement做查询语句时可解决SQL注入的问题

   pstmt.setString(1, username)将username作为一个结果传入到"where username = ?"的问号中

String sql = "select * from garytb where username = ? and password = ?";
            PreparedStatement pstmt = con.prepareStatement(sql);
            //添加参数
            pstmt.setString(1, username);
            pstmt.setString(2, password);
            //进行查询
            rs = pstmt.executeQuery();
                
            if(rs.next()) {
                return true;
            }else {
                return false;
            }

 

 

 

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class JDBC01 {

    public static void main(String[] args) throws SQLException  {
        //selectAll();
        //存在sql注入
        System.out.println(selectByUernamePassword("Garyyyyar","nihao' or '1'='1"));
        //使用preparestatement解决SQL注入的问题
        System.out.println(selectByUP2("Garyyyyar","nihao' or '1'='1"));
    }

    public static void selectAll() throws SQLException {
        //注册驱动    使用驱动连接数据库
        Connection con = null;
        Statement stmt = null;
        ResultSet rs = null;
        try {
            Class.forName("com.mysql.jdbc.Driver");
            
            //String url ="jdbc:mysql://localhost:3306/garysql";
            //指定编码查询数据库
            String url ="jdbc:mysql://localhost:3306/garysql?useUnicode=true&characterEncoding=UTF8&useSSL=false";
            String user = "root";
            String password = "123456";
            //建立和数据库的连接
            con = DriverManager.getConnection(url,user,password);
            
            //数据库的增删改查
            stmt = con.createStatement();
            //返回一个结果集
            rs =stmt.executeQuery("select * from garytb");
            
            while(rs.next()) {
                //System.out.println(rs.getString(1)+","+rs.getString(2)+","+rs.getString(3));
                System.out.println(rs.getString("id")+","+rs.getString("username")+","+rs.getString("password"));
            }
        
        } catch (Exception e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }finally {
            if(rs!=null)
                rs.close();
            if(stmt!=null)
                stmt.close();
            if(con!=null)
                con.close();
        }
    }

    public static boolean  selectByUernamePassword(String username,String password) throws SQLException {
        Connection con=null;
        Statement stmt = null;
        ResultSet rs = null;
        try {
            Class.forName("com.mysql.jdbc.Driver");
            
            String url ="jdbc:mysql://localhost:3306/garysql?useUnicode=true&characterEncoding=UTF8&useSSL=false";
            con = DriverManager.getConnection(url,"root","123456");
            stmt =con.createStatement();
            String sql = "select * from garytb where username = '"+username+"' and password = '"+password+"'";
            //System.out.println(sql);
            rs = stmt.executeQuery(sql);
            
            if(rs.next()) {
                return true;
            }else {
                return false;
            }
                
        } catch (Exception e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }finally {
            if(rs!=null)
                rs.close();
            if(stmt!=null)
                stmt.close();
            if(con!=null)
                con.close();
        }
        
        return false;
    }

    public static boolean selectByUP2(String username,String password) throws SQLException{
        Connection con=null;
        Statement stmt = null;
        ResultSet rs = null;
        try {
            Class.forName("com.mysql.jdbc.Driver");
            
            String url ="jdbc:mysql://localhost:3306/garysql?useUnicode=true&characterEncoding=UTF8&useSSL=false";
            con = DriverManager.getConnection(url,"root","123456");
            
            String sql = "select * from garytb where username = ? and password = ?";
            PreparedStatement pstmt = con.prepareStatement(sql);
            //添加参数
            pstmt.setString(1, username);
            pstmt.setString(2, password);
            //进行查询
            rs = pstmt.executeQuery();
                
            if(rs.next()) {
                return true;
            }else {
                return false;
            }
                
        } catch (Exception e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }finally {
            if(rs!=null)
                rs.close();
            if(stmt!=null)
                stmt.close();
            if(con!=null)
                con.close();
        }
        
        return false;
    }
}
JDBC01.java

 

public static boolean selectByUP2(String username,String password) throws SQLException{
        Connection con=null;
        Statement stmt = null;
        ResultSet rs = null;
        try {
            Class.forName("com.mysql.jdbc.Driver");
            
            String url ="jdbc:mysql://localhost:3306/garysql?useUnicode=true&characterEncoding=UTF8&useSSL=false";
            con = DriverManager.getConnection(url,"root","123456");
            
            String sql = "select * from garytb where username = ? and password = ?";
            PreparedStatement pstmt = con.prepareStatement(sql);
            //添加参数
            pstmt.setString(1, username);
            pstmt.setString(2, password);
            //进行查询
            rs = pstmt.executeQuery();
                
            if(rs.next()) {
                return true;
            }else {
                return false;
            }
                
        } catch (Exception e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }finally {
            if(rs!=null)
                rs.close();
            if(stmt!=null)
                stmt.close();
            if(con!=null)
                con.close();
        }
        
        return false;
    }

 

posted @ 2019-03-23 19:04 Cynical丶Gary 阅读(...) 评论(...) 编辑 收藏