SQL注入问题(测试 Statement与PreparedStatement区别)

1.1Statement ,测试SQL注入问题

package com.king.lesson02;

import com.king.lesson02.utils.JdbcUtils;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

//SQL注入的问题:
//
public class SQL {
    public static void main(String[] args) {
        //login("king","123456");
        login("‘or‘2>1","‘or‘1=1");//sql注入本质:sql被拼接,导致数据泄露,只要保证or后面的为true就会有

    }

    //登陆业务
    public static void login(String username,String password){

        Connection conn=null;
        Statement st=null;
        ResultSet rs=null;

        try {
            conn = JdbcUtils.getConnection();//获取数据库

            st=conn.createStatement();//获得SQL执行对象

            //SELECT * from users WHERE `NAME`=‘king‘ AND `PASSWORD`=‘123456‘
            String sql="SELECT * from users where `NAME`=‘"+username+"‘AND  `password`=‘"+password+"‘";//SQL语句

            rs=st.executeQuery(sql);//获得返回的所有数据

            while(rs.next()){
                System.out.println(rs.getString("NAME"));
                System.out.println(rs.getString("PASSWORD"));


            }

        } catch (SQLException e) {
            e.printStackTrace();
        }finally {
            JdbcUtils.release(conn,st,rs);//释放资源,本质xxx.close()
        }

    }
}

 

1.2 PreparedStatement(测试)

package com.king.lesson03;

import com.king.lesson02.utils.JdbcUtils;

import java.sql.*;

//SQL注入测试(PreparedStatement)
public class SQL {
    public static void main(String[] args) {

        //经过测试PreparedStatement,完美的解决了SQL注入问题
        login("king","123456");
        //login("‘or‘2>1","‘or‘1=1");//sql注入本质:sql被拼接,导致数据泄露,只要保证or后面的为true就会有

    }

    //登陆业务
    public static void login(String username,String password){

        Connection conn=null;
        PreparedStatement st=null;
        ResultSet rs=null;

        try {
            conn = JdbcUtils.getConnection();//获取数据库


            //SELECT * from users WHERE `NAME`=‘king‘ AND `PASSWORD`=‘123456‘
            String sql="SELECT * from users where `NAME`= ? AND  `password`= ? ";//SQL语句

            st=conn.prepareStatement(sql);//预编译

            st.setString(1,username);
            st.setString(2,password);

            rs=st.executeQuery();//执行

            while(rs.next()){
                System.out.println(rs.getString("NAME"));
                System.out.println(rs.getString("PASSWORD"));


            }

        } catch (SQLException e) {
            e.printStackTrace();
        }finally {
            JdbcUtils.release(conn,st,rs);//释放资源,本质xxx.close()
        }

    }
}

 

SQL注入问题(测试 Statement与PreparedStatement区别)

上一篇:Zabbix技术交流|Linux客户端连接oracle数据方法


下一篇:gdb list命令查看源码 break设置断点可以通过源码也可以根据汇编代码地址设置