package com.zd.DaoImpl;import java.sql.Connection;import java.sql.ResultSet;import java.sql.Statement;import com.zd.Dao.UserDao;import com.zd.util.JDBCUtil;publicclassUserDaoImplimplementsUserDao{@Overridepublicvoidlogin(String username, String password){
Connection conn = null;
Statement st = null;
ResultSet rs = null;try{
conn = JDBCUtil.getConn();
st = conn.createStatement();
String sql ="select * from user where username = '"+username+"' and password = '"+password+"'";
rs = st.executeQuery(sql);if(rs.next()){
System.out.println("登陆成功");}else{
System.out.println("登陆失败");}}catch(Exception e){
e.printStackTrace();}finally{
JDBCUtil.release(conn, st, rs);}}}
package com.zd.test;import com.zd.Dao.UserDao;import com.zd.DaoImpl.UserDaoImpl;publicclassTest{publicstaticvoidmain(String[] args){
UserDao dao =newUserDaoImpl();
dao.login("aaa","123");}}
登陆案例的Statement安全问题 —— PrepareStatement
UserDao dao =newUserDaoImpl();
dao.login("aaa","123' or '1=1");
String sql ="select * from user where username = '"+username+"' and password = '"+password+"' or 1=1";
这样sql语句成立
Statement执行,是拼接sql语句,先拼接,再执行(若里面含有关键字 or 等会认为是关键字)
PrepareStatement
预先对sql语句进行处理,?(占位符)位置一律当字符串处理
注意下标从1开始
String sql ="select * from user where username =? and password =?";
PreparedStatement ps = conn.prepareStatement(sql);
ps.setString(1, username);
ps.setString(2, password);
rs = ps.executeQuery();
【DAO】DAO层作用DAO实现登陆案例登陆案例的Statement安全问题 —— PrepareStatementDAO层作用定义操作数据库的逻辑DAO实现建Dao包写接口(要操作什么表就叫xxDao)在接口中定义方法建DaoImpl包(implement)用来实现接口中的方法在需要使用的地方XXXDao dao = new XXXDaoImp登陆案例packag...