Statement可能会发生Sql注入情况,但是PreparedStatement不会发生
package com.alex.jdbc;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.Statement;
import java.util.Scanner;
import org.junit.Test;
import com.alex.util.JDBCUtils;
public class TestConnection05 {
Scanner scanner = new Scanner(System.in);
//登录测试
//Statement这种方式容易引起SQL注入
//Statement查询操作展示
@Test
public void test_Statement() throws Exception{
System.out.println("请输入用户名:");
String username = scanner.next();
System.out.println("请输入用户密码:");
String password = scanner.next();
//打开连接
Connection connection = JDBCUtils.getConnection();
Statement statement = connection.createStatement();
String sql = "select COUNT(*) from admin where username='"+username+"' and `password`='"+password+"'";
ResultSet resultSet = statement.executeQuery(sql);
if(resultSet.next()){
int count = resultSet.getInt(1);
System.out.println(count > 0 ? "success":"fail");
}
JDBCUtils.closeConnection(resultSet, statement, connection);
}
//PreparedStatement查询操作展示
@Test
public void test_PreparedStatement() throws Exception{
System.out.println("请输入用户名:");
String username = scanner.next();
System.out.println("请输入用户密码:");
String password = scanner.next();
//打开连接
//?占位符
Connection connection = JDBCUtils.getConnection();
String sql="select COUNT(*) from admin where username= ? and `password`= ?";
PreparedStatement prepareStatement = connection.prepareStatement(sql);
//索引从一开始
prepareStatement.setString(1, username);
prepareStatement.setString(2, password);
ResultSet resultSet=prepareStatement.executeQuery();
if(resultSet.next()){
int count = resultSet.getInt(1);
System.out.println(count > 0 ? "success":"fail");
}
JDBCUtils.closeConnection(resultSet, prepareStatement, connection);
}
}