SQL注入问题
SQL注入问题
SQL存在漏洞,会被攻击导致数据泄露。SQL会被拼接 or
下方代码可以查询全部数据库内容:
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
public class SQL注入 {
public static void main(String[] args) {
// 正常登录 login("saxon","123456");
login(" 'or' 1=1"," 'or' 1=1"); //查出了所有数据
}
public static void login(String username,String password) {
Connection conn = null;
Statement st = null;
ResultSet rs = null;
try {
conn = jdbcUtils.getConnection();
st = conn.createStatement();
//select * from users where `NAME` = ''or' 1=1' AND `password` = ''or' 1=1'
String sql = "select * from users where `NAME` = '" + username +"' AND `password` = '"+ password + "' ";
rs = st.executeQuery(sql);
while (rs.next()) {
System.out.println(rs.getString("NAME"));
System.out.println(rs.getString("password"));
System.out.println("=============");
}
} catch (SQLException e) {
e.printStackTrace();
}
}
}