package cn.zxj.jdbc;
import java.sql.*;
import java.util.Scanner;
public class JdbcDemo {
public static void main(String[] args) throws ClassNotFoundException, SQLException {
statementMethod();//有sql注入风险
preparedStatementMethod();//能够防止sql注入
}
private static void preparedStatementMethod() throws ClassNotFoundException, SQLException {
//1、注册驱动
Class.forName("com.mysql.jdbc.Driver");
//2、获取连接
String url = "jdbc:mysql://localhost:3306/jdbc";
String username = "root";
String password = "123";
Connection connection = DriverManager.getConnection(url, username, password);
//3、获取预处理对象
//String sql = "insert into users(username) values(?)";
String sql = "select * from users where username = ? and password = ?";
PreparedStatement preparedStatement = connection.prepareStatement(sql);
//4、sql语句占位符设置实际参数
//preparedStatement.setObject(1,"wang");
//sql注入测试
preparedStatement.setObject(1,"'u' or '1=1'");
preparedStatement.setObject(2,"'p' or '1=1'");
//5、执行sql语句
//preparedStatement.executeUpdate();
ResultSet resultSet = preparedStatement.executeQuery();
//6、处理结果集(查询才需要处理结果集)
while(resultSet.next()){
System.out.println(resultSet.getString(1)+":"+resultSet.getString(2));
}
//7、关闭资源
resultSet.close();
preparedStatement.close();
connection.close();
}
private static void statementMethod() throws ClassNotFoundException, SQLException {
//1、注册驱动
Class.forName("com.mysql.jdbc.Driver");
//2、获取连接
String url = "jdbc:mysql://localhost:3306/jdbc";
String username = "root";
String password = "123";
Connection connection = DriverManager.getConnection(url, username, password);
//3、获取Statement对象
Statement statement = connection.createStatement();
//4、执行sql
//int i = statement.executeUpdate("insert into users(username) VALUES ('xiaozhou')");
//演示sql注入
Scanner scanner = new Scanner(System.in);
System.out.println("请输入用户名");//输入'u' or '1=1'
String un = scanner.nextLine();
Scanner scanner1 = new Scanner(System.in);
System.out.println("请输入密码");//输入'p' or '1=1'
String pw = scanner1.nextLine();
String sql = "select * from users where username="+un+" and password="+pw;
System.out.println(sql);
ResultSet resultSet = statement.executeQuery(sql);
//5、处理结果集(查询才需要处理结果集)
while(resultSet.next()){
System.out.println(resultSet.getString(1)+":"+resultSet.getString(2));
}
//6、关闭资源
resultSet.close();
statement.close();
connection.close();
}
}