package cn.test.javaee.service;
import org.junit.Test;
import cn.test.entity.User;
import cn.test.javaee.service.impl.UserServiceImpl;
public class IUserServiceTest {
@Test
public void testLogin() {
IUserService userService = new UserServiceImpl();
User user = new User();
user.setName("xiaoli");
// 数据库注入
user.setName("abc' or '1' = '1");
user.setPasswd("sergsrg' or '1' = '1");
User resuser = userService.Login(user);
System.out.println(resuser.toString());
if (resuser != null && resuser.getName() != null && !("".equals(resuser.getName()))) {
System.out.println("Login Success");
System.out.println(resuser.toString());
} else {
System.out.println("Login Failed");
}
}
@Test
public void testLoginForPrepareStatement() {
IUserService userService = new UserServiceImpl();
User user = new User();
user.setName("xiaoli");
// 数据库注入
user.setName("abc' or '1' = '1");
user.setPasswd("sergsrg' or '1' = '1");
//user.setName("xiaoli");
//user.setPasswd("123123");
//使用PrepareStatement防止数据库注入
User resuser = userService.Login(user);
if (resuser != null && resuser.getName() != null && !("".equals(resuser.getName()))) {
System.out.println("Login Success");
System.out.println(resuser.toString());
} else {
System.out.println("Login Failed");
}
}
}
package cn.test.javaee.dao.impl;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import jdbc.util.JDBCUtil;
import cn.test.entity.User;
import cn.test.javaee.dao.IUserDao;
public class UserDaoImpl2 implements IUserDao {
@Override
public User Login(User user) {
Connection conn = null;
PreparedStatement stmt = null;
ResultSet rs = null;
try {
conn = JDBCUtil.getConnection();
//preparedStatment 他是预编译的sql -- 如果需要对象,使用?进行占位。
String sql = " select * from employee where name=? and passwd=?";
System.out.println(sql);
//用PreparedStatement继续预编译
stmt = conn.prepareStatement(sql);
//向sql中的占位符进行赋值
//表示的是向某一个位置进行赋值。
stmt.setString(1,user.getName());
stmt.setString(2,user.getPasswd());
rs = stmt.executeQuery();
User result = new User();
while(rs.next())
{
result.setEmployee_id(rs.getInt(1));
result.setName(rs.getString("name"));
result.setSalary(rs.getInt(3));
result.setAge(rs.getInt(4));
result.setJob(rs.getString("job"));
result.setPasswd(rs.getString("passwd"));
result.setSex(rs.getString("sex"));
}
return result;
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
finally
{
JDBCUtil.release(rs, stmt, conn);
}
return null;
}
}