数据库开发三:JDBC数据库开发入门三
程序员文章站
2022-05-28 11:09:47
...
PrepareStatement相关知识点
一PrepareStatement使用,二预处理原理
防止sql攻击
sql攻击模拟如下所示:
当前数据库:
代码:
package jdbc;
import org.junit.Test;
import java.sql.*;
/**
* Created by kevin on 2020/3/23.
*/
public class Demo3 {
public boolean login(String name,String password){
/**
* 一、Connection
* 二、Statement
* 三、ResultSet
*/
Connection connection = null;
Statement statement = null;
ResultSet resultSet = null;
try {
String driverClassName = "com.mysql.cj.jdbc.Driver";
String url = "jdbc:mysql://localhost:3306/test?useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC";
String mysqlUserName="root";
String mysqlPassword="mysql";
Class.forName(driverClassName);
connection = DriverManager.getConnection(url,mysqlUserName,mysqlPassword);
statement = connection.createStatement();
String sql = "select * from stu WHERE name = '"+name+"'and password = '"+password+"'";
resultSet = statement.executeQuery(sql);
return resultSet.next();
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
if(resultSet!=null){
resultSet.close();
}
if(statement!=null){
statement.close();
}
if(connection!=null){
connection.close();
}
} catch (SQLException e) {
e.printStackTrace();
}
}
return false;
}
@Test
public void fun1(){
String userName= "张三";
String password="111111";
String userName2= "错名' or 'a'='a";
String password2="错密码' or 'a'='a";
//正常输入
System.out.println(login(userName,password));
//sql注入越过正常逻辑判断
System.out.println(login(userName2,password2));
}
}
输出
通过PrepareStatement方式新建login2方法
public boolean login2(String name,String password){
/**
* 一、Connection
* 二、Statement
* 三、ResultSet
*/
Connection connection = null;
PreparedStatement preparedStatement = null;
ResultSet resultSet = null;
try {
String driverClassName = "com.mysql.cj.jdbc.Driver";
String url = "jdbc:mysql://localhost:3306/test?useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC";
String mysqlUserName="root";
String mysqlPassword="mysql";
Class.forName(driverClassName);
connection = DriverManager.getConnection(url,mysqlUserName,mysqlPassword);
// statement = connection.createStatement();
// String sql = "select * from stu WHERE name = '"+name+"'and password = '"+password+"'";
// resultSet = statement.executeQuery(sql);
/**
* PrepareStatement 方式
* 1.给出sql模板:所有的参数使用?来替代
* 2.调用Connection方法得到PrepareStatement
*/
String sql = "select * from stu WHERE name = ? and password = ? ";
preparedStatement = connection.prepareStatement(sql);
preparedStatement.setString(1,name);
preparedStatement.setString(2,password);
resultSet = preparedStatement.executeQuery();
return resultSet.next();
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
if(resultSet!=null){
resultSet.close();
}
if(preparedStatement!=null){
preparedStatement.close();
}
if(connection!=null){
connection.close();
}
} catch (SQLException e) {
e.printStackTrace();
}
}
return false;
}
@Test
public void fun1(){
String userName= "张三";
String password="111111";
String userName2= "错名' or 'a'='a";
String password2="错密码' or 'a'='a";
//正常输入
System.out.println(login2(userName,password));
//sql注入越过正常逻辑判断
System.out.println(login2(userName2,password2));
}fun1()方法login替换为login2输出结果: