SQL注入问题
sql存在漏洞,会被攻击导致数据泄露,本质:SQL会被拼接 or
代码测试
db.properties文件
driver = com.mysql.cj.jdbc.Driver
url = jdbc:mysql://localhost:3306/school?serverTimezone=UTC
username = root
password = 123456
JDBC工具类
import java.io.InputStream;
import java.sql.*;
import java.util.Properties;
public class JdbcUtils {
private static String driver = null;
private static String url = null;
private static String username = null;
private static String password = null;
static {
try {
InputStream in = JdbcUtils.class.getClassLoader().getResourceAsStream("db.properties");
Properties properties = new Properties();
properties.load(in);
driver = properties.getProperty("driver");
url = properties.getProperty("url");
username = properties.getProperty("username");
password = properties.getProperty("password");
//驱动只用加载一次
Class.forName(driver);
} catch (Exception e) {
e.printStackTrace();
}
}
//获取连接
public static Connection getConnection() throws SQLException {
return DriverManager.getConnection(url, username, password);
}
//释放资源
public static void release(Connection conn, Statement st, ResultSet rs){
if (rs!=null){
try {
rs.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if (st!=null){
try {
st.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if (conn!=null){
try {
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
}
SQL注入代码
package jdbc;
import utils.JdbcUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
public class SQL注入 {
public static void main(String[] args) {
//login("yuan","666666");
login("'or '1=1","' or '1=1");//技巧
}
//登录业务
public static void login(String username,String password){
Connection conn = null;
Statement st = null;
ResultSet rs = null;
try {
conn = JdbcUtils.getConnection();
st = conn.createStatement();
//SELECT * FROM testmd5 WHERE NAME = 'yuan' AND pwd = '666666'
String sql = "SELECT * FROM testmd5 WHERE NAME = '"+username+"' AND pwd = '"+password+"'";
rs = st.executeQuery(sql);
while (rs.next()){
System.out.println("id:"+rs.getInt("id"));
System.out.println("name:"+rs.getString("name"));
System.out.println("pwd:"+rs.getString("pwd"));
}
} catch (SQLException e) {
e.printStackTrace();
}finally {
JdbcUtils.release(conn,st,rs);
}
}
}
/*
结果:
id:1
name:zhangsan
pwd:e10adc3949ba59abbe56e057f20f883e
id:2
name:lishi
pwd:123456
id:3
name:wangwu
pwd:e10adc3949ba59abbe56e057f20f883e
id:6
name:yuan
pwd:666666
id:7
name:boss
pwd:666666
*/
由以上结果可知,通过SQL注入(本质是拼接字符串)可以获取数据库中所有的信息
如果要防止SQL注入,那就需要使用PreparedStatement对象