PreparedStatement解决SQL注入问题
package com.atguigu2.statement.crud;
import java.lang.reflect.Field;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.ResultSetMetaData;
import java.util.ArrayList;
import java.util.List;
import java.util.Scanner;
import org.junit.Test;
import com.atguigu3.util.JDBCUtils;
public class PreparedStatementTest2 {
@Test
public void testLogin() {
Scanner scanner=new Scanner(System.in);
System.out.println("请输入用户名:");
String user=scanner.nextLine();
System.out.println("请输入密码:");
String password=scanner.nextLine();
String sql="SELECT user,password FROM user_table WHERE user = ? and password = ?";
User returnUser=getInstance(User.class,sql,user,password);
if (returnUser!=null) {
System.out.println("登陆成功");
}else {
System.out.println("用户名不存在或密码错误");
}
}
public <T> T getInstance(Class<T> clazz, String sql,Object...args){
Connection conn=null;
PreparedStatement ps=null;
ResultSet rs=null;
try {
conn = JDBCUtils.getConnectio();
ps = conn.prepareStatement(sql);
for (int i = 0; i < args.length; i++) {
ps.setObject(i+1,args[i]);
}
rs = ps.executeQuery();
ResultSetMetaData rsmd = rs.getMetaData();
int columnCount = rsmd.getColumnCount();
if(rs.next()) {
T t=clazz.newInstance();
for (int i = 0; i < columnCount; i++) {
Object columValue = rs.getObject(i+1);
String columnLable = rsmd.getColumnLabel(i+1);
Field field=clazz.getDeclaredField(columnLable);
field.setAccessible(true);
field.set(t, columValue);
}
return t;
}
} catch (Exception e) {
e.printStackTrace();
}finally {
JDBCUtils.closeResource(conn, ps,rs);
}
return null;
}
}
