1.1.1 SQL 注入漏洞分析
1.1.2 SQL 注入漏洞解决
public boolean login(String username,String password) {
Connection conn = null;
PreparedStatement pstmt = null;
ResultSet rs = null;
boolean flag = false;
try {
//获得连接
conn = JDBCUtils.getConnection();
//编写SQL语句
String sql = "select * from user where username = ? and password = ?";
//预编译SQL
pstmt = conn.prepareStatement(sql);
//设置参数
pstmt.setString(1, username);
pstmt.setString(2, password);
//执行SQL语句
rs = pstmt.executeQuery();
if (rs.next()) {
flag = true;
}
} catch (Exception e) {
// TODO: handle exception
}finally {
JDBCUtils.release(rs, pstmt, conn);
}
return flag;
}