1.1Statement ,测试SQL注入问题
package com.king.lesson02;
import com.king.lesson02.utils.JdbcUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
//SQL注入的问题:
//
public class SQL {
public static void main(String[] args) {
//login("king","123456");
login("'or'2>1","'or'1=1");//sql注入本质:sql被拼接,导致数据泄露,只要保证or后面的为true就会有
}
//登陆业务
public static void login(String username,String password){
Connection conn=null;
Statement st=null;
ResultSet rs=null;
try {
conn = JdbcUtils.getConnection();//获取数据库
st=conn.createStatement();//获得SQL执行对象
//SELECT * from users WHERE `NAME`='king' AND `PASSWORD`='123456'
String sql="SELECT * from users where `NAME`='"+username+"'AND `password`='"+password+"'";//SQL语句
rs=st.executeQuery(sql);//获得返回的所有数据
while(rs.next()){
System.out.println(rs.getString("NAME"));
System.out.println(rs.getString("PASSWORD"));
}
} catch (SQLException e) {
e.printStackTrace();
}finally {
JdbcUtils.release(conn,st,rs);//释放资源,本质xxx.close()
}
}
}
1.2 PreparedStatement(测试)
package com.king.lesson03;
import com.king.lesson02.utils.JdbcUtils;
import java.sql.*;
//SQL注入测试(PreparedStatement)
public class SQL {
public static void main(String[] args) {
//经过测试PreparedStatement,完美的解决了SQL注入问题
login("king","123456");
//login("'or'2>1","'or'1=1");//sql注入本质:sql被拼接,导致数据泄露,只要保证or后面的为true就会有
}
//登陆业务
public static void login(String username,String password){
Connection conn=null;
PreparedStatement st=null;
ResultSet rs=null;
try {
conn = JdbcUtils.getConnection();//获取数据库
//SELECT * from users WHERE `NAME`='king' AND `PASSWORD`='123456'
String sql="SELECT * from users where `NAME`= ? AND `password`= ? ";//SQL语句
st=conn.prepareStatement(sql);//预编译
st.setString(1,username);
st.setString(2,password);
rs=st.executeQuery();//执行
while(rs.next()){
System.out.println(rs.getString("NAME"));
System.out.println(rs.getString("PASSWORD"));
}
} catch (SQLException e) {
e.printStackTrace();
}finally {
JdbcUtils.release(conn,st,rs);//释放资源,本质xxx.close()
}
}
}
浙公网安备 33010602011771号