prepareStatement:
SQL注入:
查询时,通过修改where后面的条件,将条件改为真,查看全表
防止SQL注入:
预执行SQL语句,提前判断该SQL语句的语义和语法是否正确
当我们要查询的信息比较敏感,对安全性要求高,我们就使用prepareStatement,来进行查询
java_SQL速配
public class java_SQL速配 {
//驱动
public static final String DRIVER = "com.mysql.cj.jdbc.Driver";
//用户
public static final String USER = "root";
//密码
public static final String PWD = "12345678";
//数据库服务IP
public static final String IP = "127.0.0.1";
//端口号
public static final String PORT = "3306";
//url
public static String url(String dbName) {
return "jdbc:mysql://" + IP + ":" + PORT + "/" + dbName + "?useUnicode=true&characterEncoding=UTF8&useSSL=false";
}
}
java_防止SQL注入
public class java_防止sql注入 {
public static void main(String[] args) {
try {
Class.forName("com.mysql.cj.jdbc.Driver");
Connection connection =DriverManager.getConnection(java_SQL速配.url("jdbc"), java_SQL速配.USER, java_SQL速配.PWD);
//方法的参数是预执行的SQL语句,需要给值的地方用?占位后续再用真实值替换
PreparedStatement ps = connection.prepareStatement("select * from student where name=?");
//1.为?赋值:预执行SQL语句
/*
* 第一个参数:?的位置 第二个参数:要赋的值 位置是从1开始
*/
ps.setString(1, "'田博' or 1=1");
//2.执行SQL语句
//有返回结果集的执行
ResultSet rs = ps.executeQuery();
rs.beforeFirst();
while(rs.next()) {
System.out.println(rs.getObject(1));
System.out.println(rs.getObject(2));
System.out.println(rs.getObject(3));
}
//无返回结果集的执行
// ps.executeUpdate();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}