防止sql注入
- 1.使用预编译语句,他内置了处理SQL注入的能力,只要使用它的setString方法进行传值即可:
String sql = "select * from users where username = ? and password = ?"
PreparedStatement psd = conn.preparetement(sql)
psd.setString(1,userName)
psd.setString(2,password)
ResultSet rs = psd.executeQuery()
- 2.采用正则表达是将包含有单引号,分号, 和注释符号– 的语句给替换掉
public static String sql(String str){
return str.replaceAll(".*([';]+|(--)+)"," ");
}
userName = sql(userName);
password = sql(password);
String sql = "select * from users where username='"+userName"' and password = '"password+"'";
Statement sta = conn.createStatement();
ResultSet rs = sta.executeQuery(sql);