易被sql注入的代码
public class SqlInject {
public static void main(String[] args) throws Exception{
String url="jdbc:mysql:///db_scott";
String user="root";
String password="root";
Scanner sc = new Scanner(System.in);
System.out.println("请输入用户名:");
String username = sc.nextLine();//和next的区别可以输入空格
System.out.println("请输入密码:");
String pwd = sc.nextLine();
Class.forName("com.mysql.jdbc.Driver");
Connection conn = DriverManager.getConnection(url,user,password);
Statement state = conn.createStatement();
String sql="select count(1) from t_user where username='"+username+"' and password='"+pwd+"'";
System.out.println(sql);
ResultSet rs = state.executeQuery(sql);
if (rs.next()==true){
int count = rs.getInt(1);
if (count==1){
System.out.println("登陆成功!");
}else{
System.out.println("登陆失败!");
}
}
rs.close();
state.close();
conn.close();
}
}
虽然账号是瞎写的,但是仍然成功登录
–很多同学私聊我,为什么
select count(1) from t_user where username='z/sd' and password='' or 1='1'
会恒成立,1=‘1’,在SQL中会自动将数字类型的字符串自动转为对应的数字,因此判断的时候其实是1=1,故恒成立.
public class SqlInject2 {
public static void main(String[] args) throws Exception{
String url="jdbc:mysql:///db_scott?useSSL=false";
String user="root";
String password="root";
Scanner sc = new Scanner(System.in);
System.out.println("请输入用户名:");
String username = sc.nextLine();//和next的区别可以输入空格
System.out.println("请输入密码:");
String pwd = sc.nextLine();
Class.forName("com.mysql.jdbc.Driver");
Connection conn = DriverManager.getConnection(url,user,password);
String sql="select count(1) from t_user where username=? and password=?";
PreparedStatement peds = conn.prepareStatement(sql);
//绑定参数
peds.setString(1,username);
peds.setString(2,pwd);
System.out.println(sql);
ResultSet rs = peds.executeQuery();
if (rs.next()==true){
int count = rs.getInt(1);
if (count==1){
System.out.println("登陆成功!");
}else{
System.out.println("登陆失败!");
}
}
rs.close();
peds.close();
conn.close();
}
}
注意事项:
可以通过?useSSL=false来取消红色提示信息。
也可以换一种思路:先根据用户名查出来密码,再根据密码匹配。
