package com.king.lesson02; import com.king.lesson02.utils.JdbcUtils; import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; //SQL注入的问题: // public class SQL { public static void main(String[] args) { //login("king","123456"); login("‘or‘2>1","‘or‘1=1");//sql注入本质:sql被拼接,导致数据泄露,只要保证or后面的为true就会有 } //登陆业务 public static void login(String username,String password){ Connection conn=null; Statement st=null; ResultSet rs=null; try { conn = JdbcUtils.getConnection();//获取数据库 st=conn.createStatement();//获得SQL执行对象 //SELECT * from users WHERE `NAME`=‘king‘ AND `PASSWORD`=‘123456‘ String sql="SELECT * from users where `NAME`=‘"+username+"‘AND `password`=‘"+password+"‘";//SQL语句 rs=st.executeQuery(sql);//获得返回的所有数据 while(rs.next()){ System.out.println(rs.getString("NAME")); System.out.println(rs.getString("PASSWORD")); } } catch (SQLException e) { e.printStackTrace(); }finally { JdbcUtils.release(conn,st,rs);//释放资源,本质xxx.close() } } }
package com.king.lesson03; import com.king.lesson02.utils.JdbcUtils; import java.sql.*; //SQL注入测试(PreparedStatement) public class SQL { public static void main(String[] args) { //经过测试PreparedStatement,完美的解决了SQL注入问题 login("king","123456"); //login("‘or‘2>1","‘or‘1=1");//sql注入本质:sql被拼接,导致数据泄露,只要保证or后面的为true就会有 } //登陆业务 public static void login(String username,String password){ Connection conn=null; PreparedStatement st=null; ResultSet rs=null; try { conn = JdbcUtils.getConnection();//获取数据库 //SELECT * from users WHERE `NAME`=‘king‘ AND `PASSWORD`=‘123456‘ String sql="SELECT * from users where `NAME`= ? AND `password`= ? ";//SQL语句 st=conn.prepareStatement(sql);//预编译 st.setString(1,username); st.setString(2,password); rs=st.executeQuery();//执行 while(rs.next()){ System.out.println(rs.getString("NAME")); System.out.println(rs.getString("PASSWORD")); } } catch (SQLException e) { e.printStackTrace(); }finally { JdbcUtils.release(conn,st,rs);//释放资源,本质xxx.close() } } }
SQL注入问题(测试 Statement与PreparedStatement区别)
原文:https://www.cnblogs.com/CL-King/p/13757289.html