5.17总结

package com.mf.jdbc;

import org.junit.Test;

import java.sql.*;

/**

• 登录逻辑
  */

public class JDBCDemo1 {
@Test
public void testPrepareStatement() throws Exception {
String url = "jdbc:mysql:///test?useSSL=false";
String username = "root";
String password = "123456";
Connection conn = DriverManager.getConnection(url, username, password);

    //接收用户输入的用户名和密码
    String name = "zhangsan";
    String pwd = "' or '1' = '1";

    //定义sql
    String sql = "select * from tb_user where username = ? and password = ?";

    //获取pstmt对象
    PreparedStatement pstmt = conn.prepareStatement(sql);

    //"?"不能执行，所以设置？的值
    pstmt.setString(1, name);
    pstmt.setString(2, pwd);

    //执行sql
    ResultSet rs = pstmt.executeQuery();

    //判断登陆是否成功
    if (rs.next()) {
        System.out.println("登陆成功");
    } else {
        System.out.println("登陆失败~");
    }

    //释放资源
    rs.close();
    pstmt.close();
    conn.close();
}


/**
 * 演示sql注入
 */
public void testLogin_inject() throws Exception {
    String url = "jdbc:mysql:///db1?useSSL=false";
    String username = "root";
    String password = "123456";
    Connection conn = DriverManager.getConnection(url, username, password);

    //接收用户输入的用户名和密码
    String name = "zegcxbdb";
    String pwd = "' or '1' = '1";

    //定义sql
    String sql = "select * from tb_user where username = '" + name + "' and password = '" + pwd + "'";

    Statement stmt = conn.createStatement();

    ResultSet rs = stmt.executeQuery(sql);

    if (rs.next()) {
        System.out.println("登陆成功");
    } else {
        System.out.println("登陆失败~");
    }

    rs.close();
    stmt.close();
    conn.close();
}

}