sql存在漏洞,会被攻击导致数据泄露,SQL会被拼接
package com.yang.lesson02;
import com.yang.lesson02.utils.JdbcUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
public class SQL注入 {
public static void main(String[] args) {
//login("yang","123456");
login("'or'1=1","''or'1=1'");
}
//登录业务
public static void login(String username,String password){
Connection conn = null;
Statement st = null;
ResultSet rs = null;
try {
conn = JdbcUtils.getConnection();
st = conn.createStatement();
//SELECT * FROM users WHERE `Name` = 'yang' AND `password`='123456';
//SELECT * FROM users WHERE `Name` = ''or'1=1' AND `password`=''or'1=1';
String sql = "select * from users where `NAME` ='"+username+"'AND `password` = '"+password+"'";
//查询完毕会返回一个结果集
rs = st.executeQuery(sql);
while (rs.next()){
System.out.println(rs.getString("NAME"));
System.out.println(rs.getString("PASSWORD"));
System.out.println("=========================================");
}
} catch (SQLException e) {
e.printStackTrace();
}finally {
JdbcUtils.release(conn,st,rs);
}
}
}