sql注入
package com.wkw.jdbc;
import com.wkw.pojo.Account;
import org.testng.annotations.Test;
import java.sql.*;
import java.util.ArrayList;
import java.util.List;
public class JDBCDemo5 {
@Test
public void Login() throws Exception {
//1.注册驱动
// Class.forName("com.mysql.jdbc.Driver");
//2.获取链接
String url="jdbc:mysql://localhost:3306/test?useUnicode=true&characterEncoding=utf-8&useSSL=false";
String username = "root";
String password = "root";
Connection conn = DriverManager.getConnection(url,username,password);
//3.接受用户名和密码
String name = "zhangsan";
String pwd = "123";
String sql = "select * from user where username = '"+name+"' and password = '"+pwd+"'";
//获取stmt对象
Statement stmt = conn.createStatement();
//执行sql
ResultSet rs = stmt.executeQuery(sql);
//判断是否登陆成功
if(rs.next()){
System.out.println("登陆成功");
}else{
System.out.println("登陆失败");
}
//7,释放资源
rs.close();
stmt.close();
conn.close();
}
/*---------------------------普通登陆-------------------------------------*/
@Test
public void Login_inject() throws Exception {
//1.注册驱动
// Class.forName("com.mysql.jdbc.Driver");
//2.获取链接
String url="jdbc:mysql://localhost:3306/test?useUnicode=true&characterEncoding=utf-8&useSSL=false";
String username = "root";
String password = "root";
Connection conn = DriverManager.getConnection(url,username,password);
//3.接受用户名和密码
String name = "sdfgfsdg";
String pwd = "' or ' 1 ' = ' 1";//注入,拼字符串
String sql = "select * from user where username = '"+name+"' and password = '"+pwd+"'";
//获取stmt对象
Statement stmt = conn.createStatement();
//执行sql
ResultSet rs = stmt.executeQuery(sql);
//判断是否登陆成功
if(rs.next()){
System.out.println("登陆成功");
}else{
System.out.println("登陆失败");
}
//7,释放资源
stmt.close();
conn.close();
}
}
/*----------------------------sql注入------------------------------------------------------*/
预防SQL注入
package com.wkw.jdbc;
import org.testng.annotations.Test;
import java.sql.*;
/*PreparedStatement*/
public class JDBCDemo6 {
public static void main(String[] args) throws Exception {
//1.注册驱动
// Class.forName("com.mysql.jdbc.Driver");
//2.获取链接
String url = "jdbc:mysql://localhost:3306/test?useUnicode=true&characterEncoding=utf-8&useSSL=false";
String username = "root";
String password = "root";
Connection conn = DriverManager.getConnection(url, username, password);
//3.接受用户名和密码
String name = "zhangsan";
String pwd = "' or ' 1 ' = ' 1";
//定义sql
String sql = "select * from user where username = ? and password = ?";
System.out.println(sql);
/* 获取pstmt对象 */
PreparedStatement pstmt = conn.prepareStatement(sql);
//设置?的值
pstmt.setString(1, name);
pstmt.setString(2, pwd);
System.out.println(sql);
//执行sql
ResultSet rs = pstmt.executeQuery();
//判断是否登陆成功
if (rs.next()) {
System.out.println("登陆成功");
} else {
System.out.println("登陆失败");
}
//7,释放资源
rs.close();
pstmt.close();
conn.close();
}
}