JAVA预防SQL注入问题
一、SQL注入例子
@Test
public void testLogin() throws Exception {
String url = "jdbc:mysql:///db1?useSSL=false";
String username = "root";
String password = "1234";
Connection conn = DriverManager.getConnection(url, username, password);
String name = "sjdljfld";
String pwd = "' or '1' = '1";
String sql = " select * from tb_user where username = '"+name+"' and password = '"+pwd+"' ";
'"+pwd+"'变成了' ' or '1' = '1 '
select * from tb_user where username = 'sjdljfld' and password = '' or '1' = '1'
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sql);
if(rs.next()){
System.out.println("登录成功~");
}else{
System.out.println("登录失败~");
}
rs.close();
stmt.close();
conn.close();
}
二、解决SQL注入
@Test
public void testLogin() throws ClassNotFoundException, SQLException {
Class.forName("com.mysql.cj.jdbc.Driver");
String url = "jdbc:mysql://127.0.0.1:3306/test";
String userName = "";
String password = "";
Connection conn = DriverManager.getConnection(url, userName, password);
String name = "sjdljfld";
String pwd = "' or '1' = '1";
String sql = "select * from tb_user where username = ? and password = ?";
PreparedStatement pstmt = conn.prepareStatement(sql);
pstmt.setString(1,name);
pstmt.setString(2,pwd);
select * from tb_user where username = 'sjdljfld' and password = '\'or \'1\' = \'1'
ResultSet rs = pstmt.executeQuery();
if(rs.next()){
System.out.println("登录成功");
}else {
System.out.println("登录失败");
}
rs.close();
pstmt.close();
conn.close();
}