MySQL--05

SQL注入问题

package space.urbeautiful.utils;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class Login {

    public static void main(String[] args) {
        log("' or ' 1=1","' or '1=1");
    }

    public static void log(String username,String password){
        Connection conn = null;
        Statement stat = null;
        ResultSet rs = null;
        try {
            conn = JdbcUtils.getConn();
            stat = conn.createStatement();
            String sql = "select * from userlogin where uname = '"+username+"' and password = '"+password+"'";
            rs = stat.executeQuery(sql);
            while(rs.next()){
             System.out.println(rs.getString("uname"));
             System.out.println(rs.getString("password"));
            }
        } catch (SQLException e) {
            e.printStackTrace();
        }finally{
            JdbcUtils.release(conn,stat,rs);
        }
    }
}

解决的办法就是不适用Statement 使用PrepareStatement  

posted @ 2020-06-05 23:55  SpaceJz  阅读(110)  评论(0编辑  收藏  举报