MySQL实现JDBC-基础步骤-工具类、注入攻击
(1)配置文件(在src下创建config.properties)
JDBC工具类
之前写的代码中有很多重复的地方,虽然可以运行,但是在代码的编写上有许多无用功!
案例如下:
使用了DAO、Service、Controller层
MySQL实现JDBC-简单案例演示_Tensorflow-CSDN博客
https://blog.csdn.net/weixin_43715214/article/details/123075053而JDBC工具类就是将重复的东西放在一起统一管理。
工具类编写
(1)配置文件(在src下创建config.properties)
项目骨架如下:
在config.properties中
driverClass=com.mysql.cj.jdbc.Driver
url=jdbc:mysql://localhost:3306/db14
username=root
password=888888注:username与password要根据自己的数据库来哈~~~
(2)工具类
我们先创建一个utils的包,在创建一个JDBCUtils的类
package com.JDBC_tool.utils;
import java.io.IOException;
import java.io.InputStream;
import java.sql.*;
import java.util.Properties;
public class JDBCUtils {
// 1.私有化构造方法
private JDBCUtils() {}
// 2.声明所需要的配置变量
private static String driverClass;
private static String url;
private static String username;
private static String password;
private static Connection con;
// 3.提供代码块,读取配置文件的信息为变量赋值
static {
try {
InputStream is = JDBCUtils.class.getClassLoader().getResourceAsStream("config.properties");
Properties prop = new Properties();
prop.load(is);
driverClass = prop.getProperty("driverClass");
url = prop.getProperty("url");
username = prop.getProperty("username");
password = prop.getProperty("password");
Class.forName(driverClass);
} catch (Exception e) {
e.printStackTrace();
}
}
// 4.提供获取数据连接的方法
public static Connection getConnection() {
try {
con = DriverManager.getConnection(url, username, password);
} catch (SQLException e) {
e.printStackTrace();
}
return con;
}
// 5.提供释放资源的方法
public static void close(Connection con, Statement stat, ResultSet rs) {
if(rs != null) {
try {
rs.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if(stat != null) {
try {
stat.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if(con != null) {
try {
con.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
// 重载
public static void close(Connection con, Statement stat) {
if(stat != null) {
try {
stat.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if(con != null) {
try {
con.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
}
使用工具类优化student表的CRUD
最后将Dao下的StudentDaoImpl修改一下
package com.JDBC_tool.dao;
import com.JDBC_tool.domain.Student;
import com.JDBC_tool.utils.JDBCUtils;
import java.sql.*;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Date;
public class StudentDaoImpl implements StudentDao {
//查询所有学生
@Override
public ArrayList<Student> findAll() {
ArrayList<Student> list = new ArrayList<>();
Connection con = null;
Statement stat = null;
ResultSet rs = null;
try{
con = JDBCUtils.getConnection();
stat = con.createStatement();
String sql = "SELECT * FROM student";
rs = stat.executeQuery(sql);
while (rs.next()) {
Integer sid = rs.getInt("sid");
String name = rs.getString("name");
Integer age = rs.getInt("age");
Date birthday = rs.getDate("birthday");
Student stu = new Student(sid,name,age,birthday);
list.add(stu);
}
} catch (Exception e) {
e.printStackTrace();
} finally {
JDBCUtils.close(con,stat,rs);
}
return list;
}
//条件查询,根据id获取学生信息
@Override
public Student findById(Integer id) {
Student stu = new Student();
Connection con = null;
Statement stat = null;
ResultSet rs = null;
try{
con = JDBCUtils.getConnection();
stat = con.createStatement();
String sql = "SELECT * FROM student WHERE sid='"+id+"'";
rs = stat.executeQuery(sql);
while (rs.next()) {
Integer sid = rs.getInt("sid");
String name = rs.getString("name");
Integer age = rs.getInt("age");
Date birthday = rs.getDate("birthday");
stu.setSid(sid);
stu.setName(name);
stu.setAge(age);
stu.setBirthday(birthday);
}
} catch (Exception e) {
e.printStackTrace();
} finally {
JDBCUtils.close(con,stat,rs);
}
return stu;
}
//新增学生信息
@Override
public int insert(Student stu) {
Connection con = null;
Statement stat = null;
int result = 0;
try{
con = JDBCUtils.getConnection();
stat = con.createStatement();
Date d = stu.getBirthday();
SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
String birthday = sdf.format(d);
String sql = "INSERT INTO student VALUES ('"+stu.getSid()+"','"+stu.getName()+"','"+stu.getAge()+"','"+birthday+"')";
result = stat.executeUpdate(sql);
} catch (Exception e) {
e.printStackTrace();
} finally {
JDBCUtils.close(con,stat);
}
return result;
}
//修改学生信息
@Override
public int update(Student stu) {
Connection con = null;
Statement stat = null;
int result = 0;
try{
con = JDBCUtils.getConnection();
stat = con.createStatement();
Date d = stu.getBirthday();
SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd");
String birthday = sdf.format(d);
String sql = "UPDATE student SET sid='"+stu.getSid()+"',name='"+stu.getName()+"',age='"+stu.getAge()+"',birthday='"+birthday+"' WHERE sid='"+stu.getSid()+"'";
result = stat.executeUpdate(sql);
} catch (Exception e) {
e.printStackTrace();
} finally {
JDBCUtils.close(con,stat);
}
return result;
}
//删除学生信息
@Override
public int delete(Integer id) {
Connection con = null;
Statement stat = null;
int result = 0;
try{
con = JDBCUtils.getConnection();
stat = con.createStatement();
String sql = "DELETE FROM student WHERE sid='"+id+"'";
result = stat.executeUpdate(sql);
} catch (Exception e) {
e.printStackTrace();
} finally {
JDBCUtils.close(con,stat);
}
return result;
}
}
之前有许多公共部分的代码,现在只需要调用工具类就行了!!!
SQL注入攻击
-
按照正常道理来说,我们在密码处输入的所有内容,都应该认为是密码的组成
-
但是现在Statement对象在执行sql语句时,将一部分内容当做查询条件来执行了
演示
在登录界面,输入一个错误的用户名或密码,也可以登录成功
如果使用Statement对象,像上述这样子输入,可能就可以登入成功!
解决办法-PreparedStatement
-
预编译sql语句的执行者对象。在执行sql语句之前,将sql语句进行提前编译。明确sql语句的格式后,就不会改变了。剩余的内容都会认为是参数!参数使用?作为占位符
-
为参数赋值的方法:setXxx(参数1,参数2);
-
参数1:?的位置编号(编号从1开始)
-
参数2:?的实际参数
-
-
执行sql语句的方法
-
执行insert、update、delete语句:int executeUpdate();
-
执行select语句:ResultSet executeQuery();
-
上述案例修改
public ArrayList<Student> findAll() {
//定义必要信息
Connection conn = null;
PreparedStatement pstm = null;
ResultSet rs = null;
ArrayList<Student> students = null;
try {
//1.获取连接
conn = JDBCUtils.getConnection();
//2.获取操作对象
pstm = conn.prepareStatement("select * from student");
//3.执行sql语句,获取结果集
rs = pstm.executeQuery();
//4.遍历结果集
students = new ArrayList<Student>();
while (rs.next()) {
//5.封装
Student student = new Student();
student.setSid(rs.getInt("sid"));
student.setName(rs.getString("name"));
student.setAge(rs.getInt("age"));
student.setBirthday(rs.getDate("birthday"));
//加入到集合中
students.add(student);
}
//6.返回
return students;
}catch (Exception e){
throw new RuntimeException(e);
}finally {
JDBCUtils.close(conn,pstm,rs);
}
}
