MySQL_(Java)使用preparestatement解决SQL注入的问题
MySQL_(Java)使用JDBC向数据库发起查询请求 传送门
MySQL_(Java)使用JDBC创建用户名和密码校验查询方法 传送门
MySQL数据库中的数据,数据库名garysql,表名garytb,数据库中存在的用户表
存在SQL注入问题
使用preparestatement做查询语句时可解决SQL注入的问题
pstmt.setString(1, username)将username作为一个结果传入到"where username = ?"的问号中
String sql = "select * from garytb where username = ? and password = ?"; PreparedStatement pstmt = con.prepareStatement(sql); //添加参数 pstmt.setString(1, username); pstmt.setString(2, password); //进行查询 rs = pstmt.executeQuery(); if(rs.next()) { return true; }else { return false; }
import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; public class JDBC01 { public static void main(String[] args) throws SQLException { //selectAll(); //存在sql注入 System.out.println(selectByUernamePassword("Garyyyyar","nihao' or '1'='1")); //使用preparestatement解决SQL注入的问题 System.out.println(selectByUP2("Garyyyyar","nihao' or '1'='1")); } public static void selectAll() throws SQLException { //注册驱动 使用驱动连接数据库 Connection con = null; Statement stmt = null; ResultSet rs = null; try { Class.forName("com.mysql.jdbc.Driver"); //String url ="jdbc:mysql://localhost:3306/garysql"; //指定编码查询数据库 String url ="jdbc:mysql://localhost:3306/garysql?useUnicode=true&characterEncoding=UTF8&useSSL=false"; String user = "root"; String password = "123456"; //建立和数据库的连接 con = DriverManager.getConnection(url,user,password); //数据库的增删改查 stmt = con.createStatement(); //返回一个结果集 rs =stmt.executeQuery("select * from garytb"); while(rs.next()) { //System.out.println(rs.getString(1)+","+rs.getString(2)+","+rs.getString(3)); System.out.println(rs.getString("id")+","+rs.getString("username")+","+rs.getString("password")); } } catch (Exception e) { // TODO Auto-generated catch block e.printStackTrace(); }finally { if(rs!=null) rs.close(); if(stmt!=null) stmt.close(); if(con!=null) con.close(); } } public static boolean selectByUernamePassword(String username,String password) throws SQLException { Connection con=null; Statement stmt = null; ResultSet rs = null; try { Class.forName("com.mysql.jdbc.Driver"); String url ="jdbc:mysql://localhost:3306/garysql?useUnicode=true&characterEncoding=UTF8&useSSL=false"; con = DriverManager.getConnection(url,"root","123456"); stmt =con.createStatement(); String sql = "select * from garytb where username = '"+username+"' and password = '"+password+"'"; //System.out.println(sql); rs = stmt.executeQuery(sql); if(rs.next()) { return true; }else { return false; } } catch (Exception e) { // TODO Auto-generated catch block e.printStackTrace(); }finally { if(rs!=null) rs.close(); if(stmt!=null) stmt.close(); if(con!=null) con.close(); } return false; } public static boolean selectByUP2(String username,String password) throws SQLException{ Connection con=null; Statement stmt = null; ResultSet rs = null; try { Class.forName("com.mysql.jdbc.Driver"); String url ="jdbc:mysql://localhost:3306/garysql?useUnicode=true&characterEncoding=UTF8&useSSL=false"; con = DriverManager.getConnection(url,"root","123456"); String sql = "select * from garytb where username = ? and password = ?"; PreparedStatement pstmt = con.prepareStatement(sql); //添加参数 pstmt.setString(1, username); pstmt.setString(2, password); //进行查询 rs = pstmt.executeQuery(); if(rs.next()) { return true; }else { return false; } } catch (Exception e) { // TODO Auto-generated catch block e.printStackTrace(); }finally { if(rs!=null) rs.close(); if(stmt!=null) stmt.close(); if(con!=null) con.close(); } return false; } }
public static boolean selectByUP2(String username,String password) throws SQLException{ Connection con=null; Statement stmt = null; ResultSet rs = null; try { Class.forName("com.mysql.jdbc.Driver"); String url ="jdbc:mysql://localhost:3306/garysql?useUnicode=true&characterEncoding=UTF8&useSSL=false"; con = DriverManager.getConnection(url,"root","123456"); String sql = "select * from garytb where username = ? and password = ?"; PreparedStatement pstmt = con.prepareStatement(sql); //添加参数 pstmt.setString(1, username); pstmt.setString(2, password); //进行查询 rs = pstmt.executeQuery(); if(rs.next()) { return true; }else { return false; } } catch (Exception e) { // TODO Auto-generated catch block e.printStackTrace(); }finally { if(rs!=null) rs.close(); if(stmt!=null) stmt.close(); if(con!=null) con.close(); } return false; }
(如需转载学习,请标明出处)
