Statement的安全问题
->使用Statement开发步骤:
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost/day06", "root", "247436");
//3.创建statement , 跟数据库打交道一定需要这个对象, 一种提供操作sql语句的接口;
Statement st = conn.createStatement();
//4.执行查询,获得结果
String sql = "select * from student";
ResultSet rs = st.executeQuery(sql);
当我们做用户登录时,本质是利用用户名和密码做sql的拼接,例如:
public void Login(String name , String pwd){
*****
*****//以用户名为张三 密码为123为例;
Statement st = conn.createStatement();
String sql = "select * from user ='" + name + "' and password = '" + pwd +"'";
ResultSet rs = st.executeQuery(sql);
if(rs.next){
System.out.println("登陆成功");
}else{
System.out.println("登陆失败");
}
}
手打,忽略try-catch,如有错误,请指出;
试想一下,当有人输入 用户名和密码,用户名:张三 密码:123 456 ‘ or ’ 1 =1会怎么样,
sql语句会被拼接为 select * from user = ‘张三‘ and password = ’123456‘ or 1=1;1=1为true 所以数据库会判定查询到数据,从而登录成功;
->Statement安全问题的解决办法:
引入PreparedStatement:
public void Login(String name , String pwd){
*****
*****//以用户名为张三 密码为123为例
String sql = "select * from user = ? and password = ? ";
PreparedStatement ps = conn.prepareStatement(sql);
ResultSet rs = ps.executeQuery();
if(rs.next){
System.out.println("登陆成功");
}else{
System.out.println("登陆失败");
}
}
手打,忽略try-catch,如有错误,请指出;
prepareStatement方法对sql语句的问号部分做语法检查,?对应的内容不论传入什么,都当做字符串处理,比Statement更安全;