对Prepared Statement 是否可以防止 SQL Injection 的实验

代码：

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;

public class Test02 {

    public static void main(String argsv[]){
        try 
         {
           Class.forName("org.postgresql.Driver").newInstance();
           String url = "jdbc:postgresql://localhost:5432/postgres" ;
    
           Connection con = DriverManager.getConnection(url,"postgres","postgres" );
           
           ///Phase 1:-------------Select data from table-----------------------
           System.out.println("Phase 1------------------------start");
           
           String strsql = " select * from customers01 where cust_id = ?";
           PreparedStatement pst=con.prepareStatement(strsql);

           pst.setString(1,"3"); //find the customer with cust_id of 3.
           
           ResultSet rs = pst.executeQuery();
           
           while (rs.next())
            {
               System.out.print("cust_id:"+rs.getInt( "cust_id"));
               System.out.println("...cust_name:"+rs.getString( "cust_name" ));
           }
           System.out.println("Phase 1------------------------end\n"); 
                   
          rs.close();           
          pst.close();
          con.close();
           
       } 
        catch (Exception ee)
        {
           System.out.print(ee.getMessage());
       } 
    }
    
}

如果我把  pst.setString(1,"3"); //find the customer with cust_id of 3. 改成：

pst.setString(1,"3 or 1 = 1"); 只是执行是无法得到结果而已，并未抓出所有记录。

prepared statement 还是相对的安全，它摒弃了sql语句的拼接。

本文转自健哥的数据花园博客园博客，原文链接：http://www.cnblogs.com/gaojian/p/3140698.html，如需转载请自行联系原作者