原来是这样写的,当我登录时输入:' or 1=1 -- 会导致登录成功!这样让我必须要做防注入。
后来参考了别人的写法,使用了预编译的方法进行防sql注入!/** * 获取登录用户 * @param userName * @param md5password * @return */ @SuppressWarnings("unchecked") public Map<String, Object> getFabaoUser(String userName, String md5password) { String loginSQL="select * from CM_CONF_User where Login_Name='"+userName+"' and Password='"+md5password+"'"; Map<String, Object> u=null; try { //List<FabaoUser> list = this.findPojoBySqlToBean(loginSQL, FabaoUser.class); List<Map<String, Object>> list = this.DBSelect(loginSQL); if (list!=null && list.size()>0) { u = list.get(0); } } catch (Exception e) { e.printStackTrace(); } return u; }
@SuppressWarnings("unchecked") public Map<String, Object> getFabaoUser(String userName, String md5password) throws SQLException { Connection conn = ConnectionUtil.getConnection(); String loginSQL="select User_ID from CM_CONF_User where Login_Name= ? and Password=? "; PreparedStatement preState = conn.prepareStatement(loginSQL); preState.setString(1, userName); preState.setString(2, md5password); ResultSet rs = preState.executeQuery(); if (rs.next()) { String userId = rs.getObject("User_ID").toString(); Map<String, Object> u=new HashMap<String, Object>(); u.put("User_ID", userId); return u; } return null; }
登录防注入最简单的实现
最新推荐文章于 2024-08-11 13:28:35 发布