SQL注入问题
sql存在漏洞,会被攻击导致数据泄露 SQL会被拼接 or
package com.kuang.lesson02;
import com.kuang.lesson02.utils.jdbcUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
public class SQL注入 {
public static void main(String[] args) throws SQLException {
//SQL注入
login("sanjin","123456");
// login("' or '1=1","123456");
}
public static void login(String name,String password) throws SQLException {
Connection conn =null;
Statement st = null;
ResultSet rs =null;
try {
conn = jdbcUtils.getConnection();//获取连接
st = conn.createStatement();//获取SQL执行对象
String sql = "select * from users where `NAME`='"+ name +"' AND `PASSWORD`='"+ password +"'" ;
rs=st.executeQuery(sql);//查询完毕返回结果集
while (rs.next()){
System.out.println(rs.getString("NAME"));
}
jdbcUtils.release(conn,st,rs);
} catch (Exception e) {
e.printStackTrace();
}finally {
jdbcUtils.release(conn,st,rs);
}
}
}
PreparedStatement对象
PreparedStatement 可以防止SQL注入 ,效率更高。
- 新增
- 删除
- 更新
- 查询
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-g2bWtm8m-1609070543587)(C:\Users\王东梁\AppData\Roaming\Typora\typora-user-images\image-20201227170521886.png)]
package com.kuang.lesson03;
import com.kuang.lesson02.utils.jdbcUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
public class Test01 {
public static void main(String[] args) throws SQLException {
Connection connection= null;
PreparedStatement pstm=null;
try {
connection = jdbcUtils.getConnection();
//区别
//使用问好占位符代替参数
String sql = "insert into users(id,`NAME`) values(?,?)";
pstm = connection.prepareStatement(sql);//预编译sql,先写sql然后不执行
//手动赋值
pstm.setInt(1,6);
pstm.setString(2,"SANJIN");
//执行
int i = pstm.executeUpdate();
if (i>0){
System.out.println("插入成功");
}
} catch (Exception e) {
e.printStackTrace();
}finally {
jdbcUtils.release(connection,pstm,null);
}
}
}
防止SQL注入本质,传递字符 带有“ ”,转义字符会被转义