SQL注入問題
sql存在漏洞,會被攻擊導緻資料洩露 SQL會被拼接 or
package com.kuang.lesson02;
import com.kuang.lesson02.utils.jdbcUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
public class SQL注入 {
public static void main(String[] args) throws SQLException {
//SQL注入
login("sanjin","123456");
// login("' or '1=1","123456");
}
public static void login(String name,String password) throws SQLException {
Connection conn =null;
Statement st = null;
ResultSet rs =null;
try {
conn = jdbcUtils.getConnection();//擷取連接配接
st = conn.createStatement();//擷取SQL執行對象
String sql = "select * from users where `NAME`='"+ name +"' AND `PASSWORD`='"+ password +"'" ;
rs=st.executeQuery(sql);//查詢完畢傳回結果集
while (rs.next()){
System.out.println(rs.getString("NAME"));
}
jdbcUtils.release(conn,st,rs);
} catch (Exception e) {
e.printStackTrace();
}finally {
jdbcUtils.release(conn,st,rs);
}
}
}
PreparedStatement對象
PreparedStatement 可以防止SQL注入 ,效率更高。
-
- 新增
- 删除
- 更新
- 查詢
[外鍊圖檔轉存失敗,源站可能有防盜鍊機制,建議将圖檔儲存下來直接上傳(img-g2bWtm8m-1609070543587)(C:\Users\王東梁\AppData\Roaming\Typora\typora-user-images\image-20201227170521886.png)]
package com.kuang.lesson03;
import com.kuang.lesson02.utils.jdbcUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
public class Test01 {
public static void main(String[] args) throws SQLException {
Connection connection= null;
PreparedStatement pstm=null;
try {
connection = jdbcUtils.getConnection();
//差別
//使用問好占位符代替參數
String sql = "insert into users(id,`NAME`) values(?,?)";
pstm = connection.prepareStatement(sql);//預編譯sql,先寫sql然後不執行
//手動指派
pstm.setInt(1,6);
pstm.setString(2,"SANJIN");
//執行
int i = pstm.executeUpdate();
if (i>0){
System.out.println("插入成功");
}
} catch (Exception e) {
e.printStackTrace();
}finally {
jdbcUtils.release(connection,pstm,null);
}
}
}