创建JDBCUtils类
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84
| package cn.imqinhao.util;
import java.io.FileReader; import java.io.IOException; import java.net.URL; import java.sql.*; import java.util.Properties;
public class JDBCUtils { private static String url; private static String user; private static String password; private static String driver;
static { try { Properties properties = new Properties(); ClassLoader classLoader = JDBCUtils.class.getClassLoader(); URL resource = classLoader.getResource("env.properties"); String path = resource.getPath(); properties.load(new FileReader(path)); url = properties.getProperty("url"); user = properties.getProperty("user"); password = properties.getProperty("password"); driver = properties.getProperty("driver"); Class.forName(url); } catch (IOException e) { e.printStackTrace(); } catch (ClassNotFoundException e) { e.printStackTrace(); } } public static Connection getConnection() throws SQLException { return DriverManager.getConnection(url, user, password); } public static void close(Statement statement, Connection connection) { if(statement != null) { try { statement.close(); } catch (SQLException throwables) { throwables.printStackTrace(); } } if(connection != null) { try { connection.close(); } catch (SQLException throwables) { throwables.printStackTrace(); } } } public static void close(ResultSet resultSet, Statement statement, Connection connection) { if(resultSet != null) { try { resultSet.close(); } catch (SQLException throwables) { throwables.printStackTrace(); } } if(statement != null) { try { statement.close(); } catch (SQLException throwables) { throwables.printStackTrace(); } } if(connection != null) { try { connection.close(); } catch (SQLException throwables) { throwables.printStackTrace(); } } } }
|
编写主要代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
| package cn.imqinhao.jdbc;
import cn.imqinhao.util.JDBCUtils;
import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; import java.util.Scanner;
public class JDBCDemo10 {
public static void main(String[] args) { boolean isSuccess = new JDBCDemo10().login(); new JDBCDemo10().isSuccess(isSuccess); } public boolean login() { Scanner scanner = new Scanner(System.in); System.out.print("请输入用户名:"); String username = scanner.nextLine(); System.out.print("请输入密码:"); String password = scanner.nextLine(); Connection connection = null; Statement statement = null; ResultSet resultSet = null; try { connection = JDBCUtils.getConnection(); String sql = "select * from user where username = '" + username + "'and password = '" + password + "'"; statement = connection.createStatement(); resultSet = statement.executeQuery(sql);
return resultSet.next(); } catch (SQLException throwables) { throwables.printStackTrace(); } finally { JDBCUtils.close(resultSet, statement, connection); } return false; } public void isSuccess(boolean b) { if(b) { System.out.println("登录成功!"); } else { System.out.println("账号或密码错误!"); } } }
|
运行结果
1 2 3
| 请输入用户名:qinhao 请输入密码:dengenxi0418 登录成功!
|
SQL注入问题
1 2 3
| 请输入用户名:gjlkahgka 请输入密码:a’ or ‘a’ = ‘a 登录成功!
|
解决方案
解决方案是使用preparedStatement代替Statement。
修改后的代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
| package cn.imqinhao.jdbc;
import cn.imqinhao.util.JDBCUtils; import com.mysql.cj.protocol.Resultset;
import java.sql.*; import java.util.Scanner;
public class JDBCDemo11 { public static void main(String[] args) { boolean isSuccess = new JDBCDemo11().login(username, password); if (isSuccess) { System.out.println("登录成功!"); } else { System.out.println("用户名或密码错误!"); } }
public boolean login() { Scanner scanner = new Scanner(System.in); System.out.print("请输入用户名:"); String username = scanner.nextLine(); System.out.print("请输入密码:"); String password = scanner.nextLine(); Connection connection = null; PreparedStatement preparedStatement = null; ResultSet resultset = null; try { connection = JDBCUtils.getConnection(); String sql = "select * from user where username = ? and password = ?"; preparedStatement = connection.prepareStatement(sql); preparedStatement.setString(1, username); preparedStatement.setString(2, password); resultset = preparedStatement.executeQuery(); return resultset.next(); } catch (SQLException throwables) { throwables.printStackTrace(); } finally { JDBCUtils.close(resultset, preparedStatement, connection); } return false; } }
|
运行结果
1 2 3
| 请输入用户名:gjlkahgka 请输入密码:a’ or ‘a’ = ‘a 用户名或密码错误!
|