1、正常登陆:
package com.hyc.study02;
import com.hyc.study02.utils.JDBCUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
public class PourIntoSql {
public static void main(String[] args) {
login("zxzb", "123456");
}
public static void login(String username, String psw) {
Connection connection = null;
Statement statement = null;
ResultSet resultSet = null;
try {
connection = JDBCUtils.getConnection();
statement = connection.createStatement();
String sql = "SELECT * FROM `users` WHERE `NAME`='" + username + "'AND `PASSWORD`='" + psw + "'";
resultSet = statement.executeQuery(sql);
while (resultSet.next()) {
System.out.println(resultSet.getInt("id"));
System.out.println(resultSet.getString("NAME"));
System.out.println(resultSet.getString("PASSWORD"));
System.out.println(resultSet.getString("email"));
System.out.println(resultSet.getDate("birthday"));
System.out.println("===========================================");
}
} catch (SQLException throwables) {
throwables.printStackTrace();
} finally {
JDBCUtils.release(connection, statement, resultSet);
}
}
}
结果:
2、SQL注入造成信息泄露:
package com.hyc.study02;
import com.hyc.study02.utils.JDBCUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
public class PourIntoSql {
public static void main(String[] args) {
login(" ' or '1=1", "' or '1=1");
}
public static void login(String username, String psw) {
Connection connection = null;
Statement statement = null;
ResultSet resultSet = null;
try {
connection = JDBCUtils.getConnection();
statement = connection.createStatement();
String sql = "SELECT * FROM `users` WHERE `NAME`='" + username + "'AND `PASSWORD`='" + psw + "'";
resultSet = statement.executeQuery(sql);
while (resultSet.next()) {
System.out.println(resultSet.getInt("id"));
System.out.println(resultSet.getString("NAME"));
System.out.println(resultSet.getString("PASSWORD"));
System.out.println(resultSet.getString("email"));
System.out.println(resultSet.getDate("birthday"));
System.out.println("===========================================");
}
} catch (SQLException throwables) {
throwables.printStackTrace();
} finally {
JDBCUtils.release(connection, statement, resultSet);
}
}
}
结果:
SQL注入产生的原因是后台服务器接收相关参数的时候没有未经过滤就直接带入数据库查询。
通过1、2这两个对比中可以看出,2中的字符串拼接后,后台没有过滤就直接带入数据库查询导致sql注入。