jdbc-- StatementSQL注入演示

StatementSQL注入演示

解决方案:
preparedStatement
测试用户名: 1' or
测试密码: or '1'='1

// StatementSQL注入演示
    @Test
    public void statementSqlDemo() throws ClassNotFoundException, InstantiationException, IllegalAccessException, SQLException, IOException {
    
    

        // 注册驱动
        Class<?> aClass = Class.forName("com.mysql.jdbc.Driver");
        Driver driver =(Driver) aClass.newInstance();
        DriverManager.registerDriver(driver);
        FileInputStream fileInputStream = new FileInputStream("src/cn/usts/edu/config/db.properties");
        Properties properties = new Properties();
        properties.load(fileInputStream);
        String url=(String) properties.get("url");
        String user=(String) properties.get("user");
        String password=(String) properties.get("password");

        // 建立连接
        Connection connection = DriverManager.getConnection(url, user, password);

        // 执行sql
        Scanner scanner = new Scanner(System.in);
        System.out.println("输入用户名");//
        String name = scanner.nextLine();// nextLine不会空格切断    用户名 1' or
        System.out.println("输入密码");  
        String psd = scanner.nextLine();// nextLine不会空格切断   万能密码 or '1' = 1'
        String sql ="select admin.amin,admin.psd from admin where amin='"+name+"'and psd='"+psd+"'";

        Statement statement = connection.createStatement();
        ResultSet resultSet = statement.executeQuery(sql);

        // 获取结果
        if (resultSet.next()){
    
     // 查询到结果才会有记录
            System.out.print("登陆成功");
        }else{
    
    
            System.out.print("登陆失败");
        }


        // 切断链接
        resultSet.close();
        statement.close();
        connection.close();


    }