2种SQL注入演示,不知道密码也可以登录
-- 正常登录
select * from login1 where username ='zhangsan'and password = '123'
-- 用户名任意,密码输入: ' or '1'='1
select * FROM login1 where username = 'xyz' and password = '' or '1'='1'
-- 用户名zhangsan已知的情况下,用户名输入: zhangsan' -- (zhangsan' 空格--空格) 密码输入: 任意
select * from login1 where username ='zhangsan' -- ' and password = 'xxx'
登陆成功
或者
登陆成功
只修改dao层实现就可以,try代码有问题的话会不执行,直接catch了,数据库url错误之类的。
IUserDao2.java
package com.heima.dao;
import com.heima.pojo.Client;
import java.util.List;
public interface IUserDao2 {
List<Client> findClient(String userName, String password);
}
UserDaoImpl2.java
package com.heima.dao.impl;
import com.heima.dao.IUserDao2;
import com.heima.pojo.Client;
import java.sql.*;
import java.util.ArrayList;
import java.util.List;
public class UserDaoImpl2 implements IUserDao2 {
@Override
public List<Client> findClient(String userName, String password1) {
//用占位符防止sql注入的写法
// String sql = "select * from login1 where userName = ? and password = ?";
// List<Client> clientList = jdbcTemplate.query(sql, new BeanPropertyRowMapper<>(Client.class), userName, password);
// return clientList;
List<Client> clientList = new ArrayList<>();
//错误写法,add()的空指针异常,无法添加list,直接catch了
//List<Client> clientList = null;
Connection con = null;
Statement st = null;
ResultSet rs = null;
try {
Class.forName("com.mysql.jdbc.Driver");
con = DriverManager.getConnection("jdbc:mysql://localhost:3306/user_manager","root","root");
st = con.createStatement();
String sql = "select * from login1 where username ='" + userName + "'and password = '" + password1 + "'";
System.out.println("sql = " + sql);
rs = st.executeQuery(sql);
while (rs.next()) {
String username = rs.getString("username");
String password = rs.getString("password");
Client client = new Client();
client.setUserName(username);
client.setPassword(password);
clientList.add(client);
System.out.println("client = " + client);
}
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
if (rs != null) {
rs.close();
}
} catch (SQLException e) {
e.printStackTrace();
}
try {
if (st != null) {
st.close();
}
} catch (SQLException e) {
e.printStackTrace();
}
try {
if (con != null) {
con.close();
}
} catch (SQLException e) {
e.printStackTrace();
}
}
return clientList;
}
}
Client.java
package com.heima.pojo;
public class Client {
private int id;
private String userName;
private String password;
public int getId() {
return id;
}
public void setId(int id) {
this.id = id;
}
public String getUserName() {
return userName;
}
public void setUserName(String userName) {
this.userName = userName;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
}
LoginServlet.java
package com.heima.web;
import com.heima.pojo.Client;
import com.heima.service.IUserService;
import com.heima.service.impl.UserServiceImpl;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.List;
@WebServlet(urlPatterns = "/loginServlet")
public class LoginServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doPost(request, response);
}
@Override
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
//0.处理post请求数据乱码
request.setCharacterEncoding("UTF-8");
String userName = request.getParameter("userName");
String password = request.getParameter("password");
IUserService userService = new UserServiceImpl();
List<Client> clientList = userService.findClient(userName, password);
//3.给浏览器生成响应信息
//如果能查到数据
if (clientList!=null&&clientList.size()>0){
//跳转到success.html
request.getRequestDispatcher("/success.jsp").forward(request,response);
}else{
//没有查到数据 跳转到error.jsp
request.getRequestDispatcher("/error.jsp").forward(request,response);
}
}
}
login.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>登录页面</title>
<link href="css/bootstrap.min.css" rel="stylesheet">
<link href="css/login.css" rel="stylesheet">
<script src="js/jquery.js"></script>
<script src="js/bootstrap.js"></script>
</head>
<body>
<div class="container text-center">
<form class="form-signin" action="http://localhost:8080/loginServlet">
<h2 class="form-signin-heading">登录页面</h2>
<input type="text" name="userName" class="form-control" placeholder="用户名" required autofocus>
<input type="password" name="password" class="form-control" placeholder="密码" required>
<button class="btn btn-lg btn-primary btn-block" type="submit">登录</button>
</form>
</div>
</body>
</html>
注入删表命令,没成功,有语法错误
select * from login1 where username = 'x' and password = 'y';delete from login1 where '1'='1'
rs = st.executeQuery(sql);
可能是java执行sql时候语句出错
在navicat中是可以执行的