11级_Java_曹建波6.19 解决注入问题

解决注入问题

private voidbtnSubmitActionPerformed(java.awt.event.ActionEvent evt) {

StringuserName = txtName.getText();

Stringpassword = new String(txtPassword.getPassword());

Stringemail = txtEmail.getText();

Stringbirthday = txtBirthday.getText();

Connectioncon = null;

PreparedStatementps = null;

Stringsql = "insert into users(name,password,email,birthday)values(?,?,?,?) ";

try {

con= DBManager.getConnection();

ps= con.prepareStatement(sql);

ps.setString(1,userName);

ps.setString(2, password);

ps.setString(3,email);

ps.setDate(4,Date.valueOf(birthday));

int i =ps.executeUpdate();

if (userName!=null&&password!=null) {

JOptionPane.showMessageDialog(this, "注册成功！");

}else {

JOptionPane.showMessageDialog(this, "注册失败！");

}

}catch (SQLException e) {

// TODO Auto-generatedcatch block

e.printStackTrace();

}finally{

DBManager.dbClose1(ps, con);

}

}

private voidbtnLogonActionPerformed(java.awt.event.ActionEvent evt) {

newLogon().setVisible(true);

}

private voidbtnloginActionPerformed(java.awt.event.ActionEvent evt) {

StringuserName = txtName.getText();

Stringpassword = new String(txtPassword.getPassword());

Connectioncon = null;

//Statement st= null;

PreparedStatementps = null;

ResultSetrs = null;

//String sql= "select id from users where name='" + userName+ "'andpassword='" + password + "'";

Stringsql = "select id from users where name=? andpassword=?";

try {

con= DBManager.getConnection();

//st =con.createStatement();

ps= con.prepareStatement(sql);

ps.setString(1,userName);

ps.setString(2,password);

//rs =st.executeQuery(sql);

rs= ps.executeQuery();

if (rs.next()) {

JOptionPane.showMessageDialog(this, "登陆成功！");

}else {

JOptionPane.showMessageDialog(this, "登陆失败！");

}

}catch (SQLException e) {

e.printStackTrace();

}finally {

DBManager.dbClose(rs,ps, con);

}

}