JDBC - SQL注入问题

package cn.imqinhao.util;

import java.io.FileReader;
import java.io.IOException;
import java.net.URL;
import java.sql.*;
import java.util.Properties;

public class JDBCUtils {
    private static String url;
    private static String user;
    private static String password;
    private static String driver;

    static {
        try {
            // 1.创建Properties集合类
            Properties properties = new Properties();
            // 获取src路径下的文件的方式 ---> ClassLoader类加载器
            ClassLoader classLoader = JDBCUtils.class.getClassLoader();
            URL resource = classLoader.getResource("env.properties");
            String path = resource.getPath();
            // 2.加载文件
            properties.load(new FileReader(path));
            // 3.获取数据，赋值
            url = properties.getProperty("url");
            user = properties.getProperty("user");
            password = properties.getProperty("password");
            driver = properties.getProperty("driver");
            Class.forName(url);
        } catch (IOException e) {
            e.printStackTrace();
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        }
    }
	// 获取连接对象
    public static Connection getConnection() throws SQLException {
        return DriverManager.getConnection(url, user, password);
    }
	// 关闭资源
    public static void close(Statement statement, Connection connection) {
        if(statement != null) {
            try {
                // 关闭sql执行对象
                statement.close();
            } catch (SQLException throwables) {
                throwables.printStackTrace();
            }
        }
        if(connection != null) {
            try {
                // 关闭连接对象
                connection.close();
            } catch (SQLException throwables) {
                throwables.printStackTrace();
            }
        }
    }
	// 关闭资源（重载）
    public static void close(ResultSet resultSet, Statement statement, Connection connection) {
        if(resultSet != null) {
            try {
                resultSet.close();
            } catch (SQLException throwables) {
                throwables.printStackTrace();
            }
        }
        if(statement != null) {
            try {
                statement.close();
            } catch (SQLException throwables) {
                throwables.printStackTrace();
            }
        }
        if(connection != null) {
            try {
                connection.close();
            } catch (SQLException throwables) {
                throwables.printStackTrace();
            }
        }
    }
}

package cn.imqinhao.jdbc;

import cn.imqinhao.util.JDBCUtils;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Scanner;

public class JDBCDemo10 {

    public static void main(String[] args) {
        boolean isSuccess = new JDBCDemo10().login();
        new JDBCDemo10().isSuccess(isSuccess);
    }
	// 用户登录
    public boolean login() {
        Scanner scanner = new Scanner(System.in);
        System.out.print("请输入用户名：");
        String username = scanner.nextLine();
        System.out.print("请输入密码：");
        String password = scanner.nextLine();
        Connection connection = null;
        Statement statement = null;
        ResultSet resultSet = null;
        try {
            // 1.获取连接对象
            connection = JDBCUtils.getConnection();
            // 2.定义sql语句
            String sql = "select * from user where username = '" + username + "'and password = '" + password + "'";
            // 3.获取sql执行对象
            statement = connection.createStatement();
            // 4.执行sql
            resultSet = statement.executeQuery(sql);
//            if(resultSet.next()) {
//                return true;
//            } else {
//                return false;
//            }
            return resultSet.next();
        } catch (SQLException throwables) {
            throwables.printStackTrace();
        } finally {
            JDBCUtils.close(resultSet, statement, connection);
        }
        return false;
    }
	// 判断登录是否成功
    public void isSuccess(boolean b) {
        if(b) {
            System.out.println("登录成功！");
        } else {
            System.out.println("账号或密码错误！");
        }
    }
}

package cn.imqinhao.jdbc;

import cn.imqinhao.util.JDBCUtils;
import com.mysql.cj.protocol.Resultset;

import java.sql.*;
import java.util.Scanner;

public class JDBCDemo11 {
    public static void main(String[] args) {
        
        boolean isSuccess = new JDBCDemo11().login(username, password);
        if (isSuccess) {
            System.out.println("登录成功！");
        } else {
            System.out.println("用户名或密码错误！");
        }
    }

    public boolean login() {
        Scanner scanner = new Scanner(System.in);
        System.out.print("请输入用户名：");
        String username = scanner.nextLine();
        System.out.print("请输入密码：");
        String password = scanner.nextLine();
        Connection connection = null;
        PreparedStatement preparedStatement = null;
        ResultSet resultset = null;
        try {
            // 1.获取连接对象
            connection = JDBCUtils.getConnection();
            // 2.定义sql
            String sql = "select * from user where username = ? and password = ?";
            // 3.获取sql执行对象
            preparedStatement = connection.prepareStatement(sql);
            // 4.给sql赋值
            preparedStatement.setString(1, username);
            preparedStatement.setString(2, password);
            // 5.执行sql
            resultset = preparedStatement.executeQuery();
            // 6.处理结果
            return resultset.next();
        } catch (SQLException throwables) {
            throwables.printStackTrace();
        } finally {
            JDBCUtils.close(resultset, preparedStatement, connection);
        }
        return false;
    }
}