mysql的安全漏洞的一种现象,就是利用转义字符把 ' ' 化没了,然后true 起作用啦

mysql的安全漏洞的一种现象,就是利用转义字符把 ' ' 化没了,然后true 起作用啦

 

所以~ select * from stu where StuName = true~~~~~

 

代码举例:

//登录系统
System.out.println("请输入用户名:");
Scanner scanner = new Scanner(System.in);
String name = scanner.nextLine();
System.out.println("请输入密码:");
String password = scanner.nextLine();
//拼接成sql语句
String sql = String.format("select * from stu where StuName='%s' and LoginPwd='%s'",name,password);
//连接服务器验证密码是否正确
Connection connection = JDBCUtil.GetConnection(); //自定义的JDBCUtil类封装了连接sql的驱动器,以及返回一个连接到自己的服务器Connection活动对象
Statement statement = null;
statement = connection.createStatement();
//执行sql语句
ResultSet resultSet = statement.executeQuery(sql);
if(resultSet.next()){
System.out.println("登录成功");
System.out.println(sql);
}else{
System.out.println("登录失败!请重试");
}

 

解决:使用预编译 PreparedStatement,创建参数化的sql语句

例如:String sql="select * from stu where StuName = ? and LoginPwd = ?";    //设置参数化sql语句,变量的值暂时用?代替

PreparedStatement preparement = connection.preparedStatement(sql);

preparement.setString(1, "易烊千玺");  //设置参数

preparement.setString(2,"123445");

 

代码示例:

   //登录系统
System.out.println("请输入用户名:");
Scanner scanner = new Scanner(System.in);
String name = scanner.nextLine();
System.out.println("请输入密码:");
String password = scanner.nextLine();
//拼接成sql语句
// String sql = String.format("select * from stu where StuName='%s' and LoginPwd='%s'",name,password);
String sql = "select * from stu where StuName=? and LoginPwd=?;";
//连接服务器验证密码是否正确
Connection connection = JDBCUtil.GetConnection(); //自定义的JDBCUtil类封装了连接sql的驱动器,以及返回一个连接到自己的服务器Connection活动对象
// Statement statement = null;
// statement = connection.createStatement();

PreparedStatement preparedStatement = connection.prepareStatement(sql);
//为每一个?赋值,下标从1开始
preparedStatement.setString(1, name);
preparedStatement.setString(2,password);
//执行sql语句
// ResultSet resultSet = statement.executeQuery(sql);

ResultSet resultSet = preparedStatement.executeQuery();
if(resultSet.next()){
System.out.println("登录成功");
System.out.println(sql);
}else{
System.out.println("登录失败!请重试");
}
}


 

 

 

 

 

 

 
posted @ 2021-06-15 14:45  一乐乐  阅读(124)  评论(1编辑  收藏  举报