**注入的情况:**当我输入如下轻快的时候:
package Project1;
//存在 sql注入大问题
import JDBCUtils.JDBCUtils;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Scanner;
public class Loginsqlzhuru {
public static void main(String[] args) throws SQLException {
Scanner scanner=new Scanner(System.in);
String name,password;
System.out.println("请输入username:");
name=scanner.nextLine();
System.out.println("请输入password:");
password=scanner.nextLine();
// String sql = "select * from p where name1='" + name + "'" + "and password='" + password + "'";
String sql=String.format("select * from p where name='%s' and password='%s'",name,password);
System.out.println(sql);
//怎么判断了呢1' or '1'='1
Statement statement = JDBCUtils.getStatement();
ResultSet rs = statement.executeQuery(sql);
if (rs.next()){
System.out.println("登录成功");
}else {
System.out.println("登录失败");
}
}
}
怎么防止sql注入呢?用 PreparedStatement
package Project1;
import JDBCUtils.JDBCUtils;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Scanner;
public class Login {
public static void main(String[] args) throws SQLException {
Scanner scanner=new Scanner(System.in);
String name,password;
System.out.println("请输入username:");
name=scanner.nextLine();
System.out.println("请输入password:");
password=scanner.nextLine();
String sql="select * from p where name=? and password=?";
PreparedStatement ps= JDBCUtils.getConnection().prepareStatement(sql);
ps.setString(1,name);
ps.setString(2,password);
ResultSet resultSet = ps.executeQuery();
if (resultSet.next()){
System.out.println("登陆成功");
}else{
System.out.println("失败");
}
}
}
