import java.sql.*;
import java.util.HashMap;
import java.util.Map;
import java.util.ResourceBundle;
import java.util.Scanner;
/**
* 解决sql注入问题
* 只要用户的信息不参与编译即可
* 使用PreparedStatement预编译
*/
public class JDBCTest07 {
public static void main(String[] args) {
//初始化用户界面
Map<String,String> loginPage = initLoginPage();
//登录
boolean loginStatus = login(loginPage);
System.out.println(loginStatus == true ? "sign in successfully":"sign in failed");
}
/**
* 登录
* @param loginPage
* @return
*/
private static boolean login(Map<String,String> loginPage) {
boolean isSuccess = false;
String name = loginPage.get("username");
String pw = loginPage.get("password");
Connection conn = null;
//第一个改动
PreparedStatement ps = null;
ResultSet rs = null;
ResourceBundle bundle = ResourceBundle.getBundle("JDBC");
String driver = bundle.getString("driver");
String url = bundle.getString("url");
String user = bundle.getString("user");
String pword = bundle.getString("password");
try {
Class.forName(driver);
conn = DriverManager.getConnection(url,user,pword);
//第二个改动
String sql = "select loginname,password from t_user where loginname = ? and password = ?";//?为占位符
//第三个改动 在此处将sql语句的框架传给DBMS进行sql语句的预编译
ps = conn.prepareStatement(sql);
//传值第一个?下标为1 类推
ps.setString(1,name);
ps.setString(2,pw);
//执行
rs = ps.executeQuery();
if (rs.next()){
isSuccess = true;
}
} catch (ClassNotFoundException | SQLException e) {
e.printStackTrace();
}finally {
if (rs != null) {
try {
rs.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if (ps != null) {
try {
ps.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if (conn != null) {
try {
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
return isSuccess;
}
/**
* 初始化用户界面
* @return 用户的登录账号和密码信息
*/
private static Map<String,String> initLoginPage() {
Scanner s = new Scanner(System.in);
System.out.println("username:");
String username = s.nextLine();
System.out.println("password:");
String password = s.nextLine();
Map<String,String> loginPage = new HashMap<>();
loginPage.put("username",username);
loginPage.put("password",password);
return loginPage;
}
}
JDBC模拟用户登录并防止SQL注入
最新推荐文章于 2024-06-28 11:20:27 发布