Statement的问题
public static void main(String[] args) throws Exception {
Statement statement = con.createStatement();
String qid = "160341238 or 1 = 1";
String sql = "select * from students where id = " + qid;
ResultSet query = statement.executeQuery(sql);
while(query.next()){
String id = query.getString("id");
String name = query.getString("name");
String clazz = query.getString("clazz");
System.out.println(id + " " + name + " " + clazz);
}
/**Console:
* 160341238 赵承阳 160341B
aaa 詹金浩 160341B */
}
在上面这段代码中,查询的qid后面添加上了or 1 = 1
就可以把表中所有信息都查询出来,因为or 1 = 1
这句话是一定为真,而我们刚才使用的Statement又使用的是拼接字符串的方式,在字符串中or会被认为是关键字,所以sql语句的条件永远为真。可以采用PrepareStatement类来解决这个问题。
public static void main(String[] args) throws Exception {
String sql = "select * from students where id=?";
PreparedStatement ps = con.prepareStatement(sql);
/**
* 从1开始,把字符串填到匹配的?里。关键字也被认为是是字符串
*/
ps.setString(1, "160341238 or 1 = 1");
ResultSet query = ps.executeQuery();
while(query.next()){
String id = query.getString("id");
String name = query.getString("name");
String clazz = query.getString("clazz");
System.out.println(id + " " + name + " " + clazz);
}
//无结果
}