一.Sql注入
-
利用Statement写一个用户登录,执行的sql将会是:
用户输入用户名:admin
用户输入密码: 123456
后台程序执行
select * from users where uname = ‘admin’ and pwd = ‘123456’ -
如果改为如下输入信息
用户输入用户名:’ or 1=1 or ’
用户输入密码: 123456
后台程序执行
select * from users where uname = ‘’ or 1=1 or ‘’ and pwd = ‘123456’
将这种情况,称之为sql注入
二.Statement
public static void select2(String names,String passwords){
JDBCUtils jdbcUtils = new JDBCUtils();
Connection conn = null;
Statement stmt = null;
ResultSet rs = null;
try {
Class.forName(JDBCUtils.DRIVER);
conn = DriverManager.getConnection(JDBCUtils.URL,JDBCUtils.USER,JDBCUtils.PASSWORD);
stmt = conn.createStatement();
String sql = "SELECT * FROM s_student WHERE s_user = '"+names+"' OR s_password = '"+passwords+"'";
rs = stmt.ex