1、使用“Statement”场景,动态拼接SQL,会有注入危险
2、使用“PreparedStatement”场景,可避免
参数赋值如下,查不到
正常情况,可查
@Test
public void queryAccount1() {
String sql = "select * from account where login_name=? ";
Connection con = DBUtil.getConnection();
try {
PreparedStatement ps = con.prepareStatement(sql);
List<Object> paramList = new ArrayList<Object>();
paramList.add("taiji021");
ps.setObject(1, paramList.get(0));
ResultSet rs = ps.executeQuery();
while (rs.next()) {
System.out.println(rs.getInt("id") + "," + rs.getString("login_name"));
}
} catch (SQLException e) {
e.printStackTrace();
} finally {
DBUtil.closeConnection();
}
}
@Test
public void queryAccount2() {
String sql = "select * from account where login_name= ";
String param = "'taiji021' or 1=1";
sql = sql + param;
Connection con = DBUtil.getConnection();
try {
Statement s = con.createStatement();
ResultSet rs = s.executeQuery(sql);
while (rs.next()) {
System.out.println(rs.getInt("id") + "," + rs.getString("login_name"));
}
} catch (SQLException e) {
e.printStackTrace();
} finally {
DBUtil.closeConnection();
}
}