DBLink.java
package jdbc.tool.db;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import org.apache.log4j.Logger;
import jdbc.tool.PropertiesTool;
public class DBLink {
private Logger logger = Logger.getLogger(DBLink.class);
/**
* 修改功能(放置SQL注入)
*
*@author Administrator
*/
public boolean update(String sql,Object...params) {
Connection connection =null;
PreparedStatement preparedStatement =null;
try {
connection=getConnection();
preparedStatement = connection.prepareStatement(sql);//含有?占位符的sql
for (int i = 0; i < params.length; i++) {
preparedStatement.setObject(i+1, params[i]);//为?赋值
}
return preparedStatement.executeUpdate()>0;
} catch (Exception e) {
logger.debug(e.getMessage(),e);
}
finally {
close(preparedStatement,connection);
}
return false;
}
/**
* 获取数据库连接
*
*@author Administrator
*/
private Connection getConnection() {
try {
Class.forName("com.mysql.jdbc.Driver");//加载驱动;
String username = PropertiesTool.getValue("db.username");
String password = PropertiesTool.getValue("db.password");
String url =PropertiesTool.getValue("db.url");
return DriverManager.getConnection(url, username, password);//获取连接
} catch (Exception e) {
logger.debug(e.getMessage(),e);
}
return null;
}
/**
* 查询功能
*
*@author Administrator
*/
public void select(String sql,IRowMapper rowMapper) {
Connection connection=null;
Statement statement=null;
ResultSet resultSet=null;
try {
connection=getConnection();
statement = connection.createStatement();
resultSet= statement.executeQuery(sql);//执行sql,将查询的数据存到ResultSet类型的变量中
rowMapper.rowMapper(resultSet);
} catch (Exception e) {
logger.debug(e.getMessage(),e);
}finally {
close(resultSet,statement,connection);
}
}
/**
* 查询功能 SQL注入
*
*@author Administrator
*/
public void select(String sql,IRowMapper rowMapper,Object...params) {
Connection connection=null;
PreparedStatement preparedStatement =null;
ResultSet resultSet=null;
try {
connection=getConnection();
preparedStatement = connection.prepareStatement(sql);//含有?占位符的sql
for (int i = 0; i < params.length; i++) {
preparedStatement.setObject(i+1, params[i]);//为?赋值
}
resultSet= preparedStatement.executeQuery();//执行sql,将查询的数据存到ResultSet类型的变量中
rowMapper.rowMapper(resultSet);
} catch (Exception e) {
logger.debug(e.getMessage(),e);
}finally {
close(resultSet,preparedStatement,connection);
}
}
/**
* 判断是否存在数据
*
*@author Administrator
*/
public boolean exist(String sql,Object...params) {
Connection connection=null;
PreparedStatement preparedStatement=null;
ResultSet resultSet=null;
try {
connection=getConnection();//获取链接
preparedStatement = connection.prepareStatement(sql);//得到preparedStatement
for (int i = 0; i < params.length; i++) {
preparedStatement.setObject(1+i, params[i]);//为preparedStatement赋值
}
resultSet= preparedStatement.executeQuery();//执行sql,将查询的数据存到ResultSet类型的变量中
return resultSet.next();
} catch (Exception e) {
logger.debug(e.getMessage(),e);
}finally {
close(resultSet,preparedStatement,connection);
}
return false;
}
/**
* 修改功能(insert,update,delete)
*
*@author Administrator
*/
public boolean update(String sql) {
Connection connection=null;
Statement statement=null;
try {
connection=getConnection();
statement = connection.createStatement();
int result = statement.executeUpdate(sql);
return result>0;
}catch (Exception e) {
logger.debug(e.getMessage(),e);
}finally {
close(statement,connection);
}
return false;
}
/**
* 释放资源
*
*@author Administrator
*/
private void close(Statement statement, Connection connection) {
try {
if(statement!=null) {
statement.close();
}
} catch (SQLException e) {
logger.debug(e.getMessage(),e);
}
try {
if(connection!=null) {
connection.close();
}
} catch (SQLException e) {
logger.debug(e.getMessage(),e);
}
}
/**
*释放资源
*
*@author Administrator
*/
private void close(ResultSet resultSet,Statement statement, Connection connection) {
try {
if(resultSet!=null) {
resultSet.close();
}
} catch (SQLException e) {
logger.debug(e.getMessage(),e);
}
close(statement, connection);
}
}
PropertiesTool.java
package jdbc.tool;
import java.io.IOException;
import java.io.InputStream;
import java.util.Properties;
public class PropertiesTool {
private static Properties properties = new Properties();
static {
InputStream inputStream = PropertiesTool.class.getClassLoader().getResourceAsStream("db.properties");//将db.properties变为javaIO流对象
try {
properties.load(inputStream);
} catch (IOException e) {
e.printStackTrace();
}
}
public static void main(String [] ages) {
}
public static String getValue(String key) {
return properties.getProperty(key);
}
}
test.java
package jdbc.test;
import java.sql.ResultSet;
import java.sql.SQLException;
import jdbc.tool.db.DBLink;
import jdbc.tool.db.IRowMapper;
public class Test {
public static void main(String[] args) {
//SQL注入:改变原有sql语句含义,产生意想不到的效果
String userName = "a";
String password = "1' or '1'='1";
String sql = "select id from student where name=? and id=?";
System.out.println(sql);
class RowMapper implements IRowMapper{
@Override
public void rowMapper(ResultSet rs) {
try {
if(rs.next()) {
System.out.println("Yes");
}else {
System.out.println("No");
}
} catch (SQLException e) {
e.printStackTrace();
}
}
}
RowMapper rowMapper = new RowMapper();
new DBLink().select(sql, rowMapper,userName,password);
}
}
IRowMapper.java
package jdbc.tool.db;
import java.sql.ResultSet;
public interface IRowMapper {
void rowMapper(ResultSet rs);
}
log4j.properties
# DEBUG\u8BBE\u7F6E\u8F93\u51FA\u65E5\u5FD7\u7EA7\u522B\uFF0C\u7531\u4E8E\u4E3ADEBUG\uFF0C\u6240\u4EE5ERROR\u3001WARN\u548CINFO \u7EA7\u522B\u65E5\u5FD7\u4FE1\u606F\u4E5F\u4F1A\u663E\u793A\u51FA\u6765
log4j.rootLogger=DEBUG,Console,RollingFile
#\u5C06\u65E5\u5FD7\u4FE1\u606F\u8F93\u51FA\u5230\u63A7\u5236\u53F0
log4j.appender.Console=org.apache.log4j.ConsoleAppender
log4j.appender.Console.layout=org.apache.log4j.PatternLayout
log4j.appender.Console.layout.ConversionPattern= [%-5p]-[%d{yyyy-MM-dd HH:mm:ss}] -%l -%m%n
#\u5C06\u65E5\u5FD7\u4FE1\u606F\u8F93\u51FA\u5230\u64CD\u4F5C\u7CFB\u7EDFD\u76D8\u6839\u76EE\u5F55\u4E0B\u7684log.log\u6587\u4EF6\u4E2D
log4j.appender.RollingFile=org.apache.log4j.DailyRollingFileAppender
log4j.appender.RollingFile.File=D://log.log
log4j.appender.RollingFile.layout=org.apache.log4j.PatternLayout
log4j.appender.RollingFile.layout.ConversionPattern=%d [%t] %-5p %-40.40c %X{traceId}-%m%n
db.properties
db.username=root
db.password=root
db.url=jdbc:mysql://localhost:3306/test