prepareStatement函数作用:防止SQL注入
增:
package com.esd.demo02; import com.esd.utils.JdbcUtils; import java.sql.Connection; import java.util.Date;//这里要改成util,才能获取时间 import java.sql.PreparedStatement; import java.sql.SQLException; public class TestPerparedstatement { public static void main(String[] args) { Connection conn =null; PreparedStatement st=null; try{ conn = JdbcUtils.getConnection(); //区别使用?做占位符 String sql="INSERT INTO users(`id`,`name`,`password`,`email`,`birthday`)values(?,?,?,?,?)"; st = conn.prepareStatement(sql);//预编译SQL,先写sql,不编译 st.setInt(1,4); st.setString(2,"LIN"); st.setString(3,"123456"); st.setString(4,"10000@qq.com"); // 注意点,sql.Date,数据库,java.sql.Data() // util.Date java new Date().getTime(),,,,获得时间 st.setDate(5, new java.sql.Date(new Date().getTime())); // 执行 int i = st.executeUpdate(); if (i>0){ System.out.println("插入成功!"); } } catch (SQLException e) { e.printStackTrace(); }finally { JdbcUtils.release(conn,st,null); } } }
删:
package com.esd.demo02; import com.esd.utils.JdbcUtils; import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.SQLException; import java.util.Date; public class TestDelete { public static void main(String[] args) { Connection conn =null; PreparedStatement st=null; try{ conn = JdbcUtils.getConnection(); //区别使用?做占位符 String sql="delete from users where id=?"; st = conn.prepareStatement(sql);//预编译SQL,先写sql,不编译 st.setInt(1,4); // 注意点,sql.Date,数据库,java.sql.Data() // util.Date java new Date().getTime(),,,,获得时间 int i = st.executeUpdate(); if (i>0){ System.out.println("删除成功!"); } } catch (SQLException e) { e.printStackTrace(); }finally { JdbcUtils.release(conn,st,null); } } }
改:
package com.esd.demo02; import com.esd.utils.JdbcUtils; import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.SQLException; public class TestInsert { public static void main(String[] args) { Connection conn =null; PreparedStatement st=null; try{ conn = JdbcUtils.getConnection(); //区别使用?做占位符 String sql="update users set name=? where id=?"; st = conn.prepareStatement(sql);//预编译SQL,先写sql,不编译 st.setString(1,"huang"); st.setInt(2,2); // 注意点,sql.Date,数据库,java.sql.Data() // util.Date java new Date().getTime(),,,,获得时间 int i = st.executeUpdate(); if (i>0){ System.out.println("更新成功!"); } } catch (SQLException e) { e.printStackTrace(); }finally { JdbcUtils.release(conn,st,null); } } }
查:
package com.esd.demo02; import com.esd.utils.JdbcUtils; import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; public class TestSelect { public static void main(String[] args) { Connection conn =null; PreparedStatement pre=null; ResultSet re=null; try { conn= JdbcUtils.getConnection(); String spl="select *from users where id=?"; pre= conn.prepareStatement(spl); pre.setInt(1,3); re = pre.executeQuery(); if (re.next()){ System.out.println(re.getString("name")); } } catch (SQLException e) { e.printStackTrace(); } } }
注入失败:(prepareStatement本质是把传递进来的函数当成字符,,假设其中存在转义字符,例如 ' 等,则会直接转掉)
package com.esd.utils; import java.sql.*; public class sql注入 { public static void main(String[] args) { // login("huang","123456"); login(" 'or' 1=1"," 'or'1=1"); } public static void login(String username,String password){ Connection conn= null; PreparedStatement st=null; ResultSet rs=null; try{ conn = JdbcUtils.getConnection(); // SELECT * FROM users WHERE `name`='huang' AND`password`='123456' String sql="SELECT * FROM users WHERE `name`=? AND`password`=?"; st = conn.prepareStatement(sql); st.setString(1,username); st.setString(2,password); rs = st.executeQuery(); while(rs.next()){ System.out.println(rs.getString("name")); } } catch (SQLException e) { e.printStackTrace(); }finally { JdbcUtils.release(conn,st,rs); } } }
本文来自博客园,作者:阿霖找BUG,转载请注明原文链接:https://www.cnblogs.com/lin-07/articles/16289903.html
浙公网安备 33010602011771号