首页 > 数据库技术 > 详细

MySQL_(Java)使用preparestatement解决SQL注入的问题

时间:2019-03-23 19:22:14      阅读:551      评论:0      收藏:0      [点我收藏+]

 

 

  MySQL_(Java)使用JDBC向数据库发起查询请求  传送门

  MySQL_(Java)使用JDBC创建用户名和密码校验查询方法  传送门

 

  MySQL数据库中的数据,数据库名garysql,表名garytb,数据库中存在的用户表

技术分享图片

 

  存在SQL注入问题技术分享图片

 

  使用preparestatement做查询语句时可解决SQL注入的问题

   pstmt.setString(1, username)将username作为一个结果传入到"where username = ?"的问号中

String sql = "select * from garytb where username = ? and password = ?";
            PreparedStatement pstmt = con.prepareStatement(sql);
            //添加参数
            pstmt.setString(1, username);
            pstmt.setString(2, password);
            //进行查询
            rs = pstmt.executeQuery();
                
            if(rs.next()) {
                return true;
            }else {
                return false;
            }

 

技术分享图片

 

 

技术分享图片
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class JDBC01 {

    public static void main(String[] args) throws SQLException  {
        //selectAll();
        //存在sql注入
        System.out.println(selectByUernamePassword("Garyyyyar","nihao‘ or ‘1‘=‘1"));
        //使用preparestatement解决SQL注入的问题
        System.out.println(selectByUP2("Garyyyyar","nihao‘ or ‘1‘=‘1"));
    }

    public static void selectAll() throws SQLException {
        //注册驱动    使用驱动连接数据库
        Connection con = null;
        Statement stmt = null;
        ResultSet rs = null;
        try {
            Class.forName("com.mysql.jdbc.Driver");
            
            //String url ="jdbc:mysql://localhost:3306/garysql";
            //指定编码查询数据库
            String url ="jdbc:mysql://localhost:3306/garysql?useUnicode=true&characterEncoding=UTF8&useSSL=false";
            String user = "root";
            String password = "123456";
            //建立和数据库的连接
            con = DriverManager.getConnection(url,user,password);
            
            //数据库的增删改查
            stmt = con.createStatement();
            //返回一个结果集
            rs =stmt.executeQuery("select * from garytb");
            
            while(rs.next()) {
                //System.out.println(rs.getString(1)+","+rs.getString(2)+","+rs.getString(3));
                System.out.println(rs.getString("id")+","+rs.getString("username")+","+rs.getString("password"));
            }
        
        } catch (Exception e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }finally {
            if(rs!=null)
                rs.close();
            if(stmt!=null)
                stmt.close();
            if(con!=null)
                con.close();
        }
    }

    public static boolean  selectByUernamePassword(String username,String password) throws SQLException {
        Connection con=null;
        Statement stmt = null;
        ResultSet rs = null;
        try {
            Class.forName("com.mysql.jdbc.Driver");
            
            String url ="jdbc:mysql://localhost:3306/garysql?useUnicode=true&characterEncoding=UTF8&useSSL=false";
            con = DriverManager.getConnection(url,"root","123456");
            stmt =con.createStatement();
            String sql = "select * from garytb where username = ‘"+username+"‘ and password = ‘"+password+"‘";
            //System.out.println(sql);
            rs = stmt.executeQuery(sql);
            
            if(rs.next()) {
                return true;
            }else {
                return false;
            }
                
        } catch (Exception e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }finally {
            if(rs!=null)
                rs.close();
            if(stmt!=null)
                stmt.close();
            if(con!=null)
                con.close();
        }
        
        return false;
    }

    public static boolean selectByUP2(String username,String password) throws SQLException{
        Connection con=null;
        Statement stmt = null;
        ResultSet rs = null;
        try {
            Class.forName("com.mysql.jdbc.Driver");
            
            String url ="jdbc:mysql://localhost:3306/garysql?useUnicode=true&characterEncoding=UTF8&useSSL=false";
            con = DriverManager.getConnection(url,"root","123456");
            
            String sql = "select * from garytb where username = ? and password = ?";
            PreparedStatement pstmt = con.prepareStatement(sql);
            //添加参数
            pstmt.setString(1, username);
            pstmt.setString(2, password);
            //进行查询
            rs = pstmt.executeQuery();
                
            if(rs.next()) {
                return true;
            }else {
                return false;
            }
                
        } catch (Exception e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }finally {
            if(rs!=null)
                rs.close();
            if(stmt!=null)
                stmt.close();
            if(con!=null)
                con.close();
        }
        
        return false;
    }
}
JDBC01.java

 

MySQL_(Java)使用preparestatement解决SQL注入的问题

原文:https://www.cnblogs.com/1138720556Gary/p/10585137.html

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!