SELECT * FROM myuser WHERE username = 'a' or '1'=' AND password = ' or '1'='1'
用prestatement可以防止SQL注入攻击
public static void SQLattach() {
String username = "a' or '1'=";// "Tom";
String password = " or '1'='1";// "123456";
String sql = "SELECT * FROM myuser " + "WHERE username = '" + username
+ "' AND password = '" + password + "'";
System.out.println(sql);
Connection conn = null;
java.sql.Statement st = null;
ResultSet rs = null;
try {
conn = connect2mysql1();
st = conn.createStatement();
rs = st.executeQuery(sql);
if(rs.next()){
String user = rs.getString(1);
String pd = rs.getString("password");
System.out.println("登陆成功!");
System.out.println(user + ", " + pd);
}else{
System.out.println("登陆失败!");
}
} catch (Exception e) {
e.printStackTrace();
}
}