使用Statement创建的对象会有SQL注入风险,使用preparedStatement代替即可解决。

创建JDBCUtils类

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
package cn.imqinhao.util;

import java.io.FileReader;
import java.io.IOException;
import java.net.URL;
import java.sql.*;
import java.util.Properties;

public class JDBCUtils {
private static String url;
private static String user;
private static String password;
private static String driver;

static {
try {
// 1.创建Properties集合类
Properties properties = new Properties();
// 获取src路径下的文件的方式 ---> ClassLoader类加载器
ClassLoader classLoader = JDBCUtils.class.getClassLoader();
URL resource = classLoader.getResource("env.properties");
String path = resource.getPath();
// 2.加载文件
properties.load(new FileReader(path));
// 3.获取数据,赋值
url = properties.getProperty("url");
user = properties.getProperty("user");
password = properties.getProperty("password");
driver = properties.getProperty("driver");
Class.forName(url);
} catch (IOException e) {
e.printStackTrace();
} catch (ClassNotFoundException e) {
e.printStackTrace();
}
}
// 获取连接对象
public static Connection getConnection() throws SQLException {
return DriverManager.getConnection(url, user, password);
}
// 关闭资源
public static void close(Statement statement, Connection connection) {
if(statement != null) {
try {
// 关闭sql执行对象
statement.close();
} catch (SQLException throwables) {
throwables.printStackTrace();
}
}
if(connection != null) {
try {
// 关闭连接对象
connection.close();
} catch (SQLException throwables) {
throwables.printStackTrace();
}
}
}
// 关闭资源(重载)
public static void close(ResultSet resultSet, Statement statement, Connection connection) {
if(resultSet != null) {
try {
resultSet.close();
} catch (SQLException throwables) {
throwables.printStackTrace();
}
}
if(statement != null) {
try {
statement.close();
} catch (SQLException throwables) {
throwables.printStackTrace();
}
}
if(connection != null) {
try {
connection.close();
} catch (SQLException throwables) {
throwables.printStackTrace();
}
}
}
}

编写主要代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
package cn.imqinhao.jdbc;

import cn.imqinhao.util.JDBCUtils;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Scanner;

public class JDBCDemo10 {

public static void main(String[] args) {
boolean isSuccess = new JDBCDemo10().login();
new JDBCDemo10().isSuccess(isSuccess);
}
// 用户登录
public boolean login() {
Scanner scanner = new Scanner(System.in);
System.out.print("请输入用户名:");
String username = scanner.nextLine();
System.out.print("请输入密码:");
String password = scanner.nextLine();
Connection connection = null;
Statement statement = null;
ResultSet resultSet = null;
try {
// 1.获取连接对象
connection = JDBCUtils.getConnection();
// 2.定义sql语句
String sql = "select * from user where username = '" + username + "'and password = '" + password + "'";
// 3.获取sql执行对象
statement = connection.createStatement();
// 4.执行sql
resultSet = statement.executeQuery(sql);
// if(resultSet.next()) {
// return true;
// } else {
// return false;
// }
return resultSet.next();
} catch (SQLException throwables) {
throwables.printStackTrace();
} finally {
JDBCUtils.close(resultSet, statement, connection);
}
return false;
}
// 判断登录是否成功
public void isSuccess(boolean b) {
if(b) {
System.out.println("登录成功!");
} else {
System.out.println("账号或密码错误!");
}
}
}

运行结果

请输入用户名:qinhao

请输入密码:lareina520

登录成功!

SQL注入问题

请输入用户名:gjlkahgka

请输入密码:a’ or ‘a’ = ‘a

登录成功!

解决方案

解决方案是使用preparedStatement代替Statement

修改后的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
package cn.imqinhao.jdbc;

import cn.imqinhao.util.JDBCUtils;
import com.mysql.cj.protocol.Resultset;

import java.sql.*;
import java.util.Scanner;

public class JDBCDemo11 {
public static void main(String[] args) {

boolean isSuccess = new JDBCDemo11().login(username, password);
if (isSuccess) {
System.out.println("登录成功!");
} else {
System.out.println("用户名或密码错误!");
}
}

public boolean login() {
Scanner scanner = new Scanner(System.in);
System.out.print("请输入用户名:");
String username = scanner.nextLine();
System.out.print("请输入密码:");
String password = scanner.nextLine();
Connection connection = null;
PreparedStatement preparedStatement = null;
ResultSet resultset = null;
try {
// 1.获取连接对象
connection = JDBCUtils.getConnection();
// 2.定义sql
String sql = "select * from user where username = ? and password = ?";
// 3.获取sql执行对象
preparedStatement = connection.prepareStatement(sql);
// 4.给sql赋值
preparedStatement.setString(1, username);
preparedStatement.setString(2, password);
// 5.执行sql
resultset = preparedStatement.executeQuery();
// 6.处理结果
return resultset.next();
} catch (SQLException throwables) {
throwables.printStackTrace();
} finally {
JDBCUtils.close(resultset, preparedStatement, connection);
}
return false;
}
}

运行结果

请输入用户名:gjlkahgka

请输入密码:a’ or ‘a’ = ‘a

用户名或密码错误!

评论



2019-2021 覃浩的博客 鄂ICP备19020398号-4 正在载入...

PoweredHexo
HostedGitHub & Coding
DNSAliyun & DNSPod
CDNjsDelivr
PictureBedjsDelivr
ThemeVolantis