<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>主页</title>
</head>
<body>
<%
//加载数据库驱动
Class.forName("com.mysql.jdbc.Driver");
//建立数据库连接
String url = "jdbc:mysql://localhost:3306/book";
Connection connection = DriverManager.getConnection(url,"root","root");
String sql = "select * from user where username = ? and password = ?"; //使用问号代替参数
PreparedStatement pstm = connection.prepareStatement(sql);
pstm.setString(1,request.getParameter("username"));
pstm.setString(2,request.getParameter("password"));
ResultSet rs = pstm.executeQuery();
//创建statement对象
/* Statement stmt = connection.createStatement();
String sql = "select * from user where username = '"+request.getParameter("username")+"'";
//select * from user where username = 'admin3' or '1'='1' //数据库注入
//执行查询 返回结果集
ResultSet rs = stmt.executeQuery(sql);
*/
//遍历结果集数据
while (rs.next()){
out.print(rs.getString("username")+"-"+rs.getString(2)+"<br>");
}
%>
</body>
</html>