mysql的安全漏洞的一种现象,就是利用转义字符把 ' ' 化没了,然后true 起作用啦
所以~ select * from stu where StuName = true~~~~~
代码举例:
//登录系统 System.out.println("请输入用户名:"); Scanner scanner = new Scanner(System.in); String name = scanner.nextLine(); System.out.println("请输入密码:"); String password = scanner.nextLine(); //拼接成sql语句 String sql = String.format("select * from stu where StuName='%s' and LoginPwd='%s'",name,password); //连接服务器验证密码是否正确 Connection connection = JDBCUtil.GetConnection(); //自定义的JDBCUtil类封装了连接sql的驱动器,以及返回一个连接到自己的服务器Connection活动对象 Statement statement = null; statement = connection.createStatement(); //执行sql语句 ResultSet resultSet = statement.executeQuery(sql); if(resultSet.next()){ System.out.println("登录成功"); System.out.println(sql); }else{ System.out.println("登录失败!请重试"); }
解决:使用预编译 PreparedStatement,创建参数化的sql语句
例如:String sql="select * from stu where StuName = ? and LoginPwd = ?"; //设置参数化sql语句,变量的值暂时用?代替
PreparedStatement preparement = connection.preparedStatement(sql);
preparement.setString(1, "易烊千玺"); //设置参数
preparement.setString(2,"123445");
代码示例:
//登录系统 System.out.println("请输入用户名:"); Scanner scanner = new Scanner(System.in); String name = scanner.nextLine(); System.out.println("请输入密码:"); String password = scanner.nextLine(); //拼接成sql语句 // String sql = String.format("select * from stu where StuName='%s' and LoginPwd='%s'",name,password); String sql = "select * from stu where StuName=? and LoginPwd=?;"; //连接服务器验证密码是否正确 Connection connection = JDBCUtil.GetConnection(); //自定义的JDBCUtil类封装了连接sql的驱动器,以及返回一个连接到自己的服务器Connection活动对象 // Statement statement = null; // statement = connection.createStatement(); PreparedStatement preparedStatement = connection.prepareStatement(sql); //为每一个?赋值,下标从1开始 preparedStatement.setString(1, name); preparedStatement.setString(2,password); //执行sql语句 // ResultSet resultSet = statement.executeQuery(sql); ResultSet resultSet = preparedStatement.executeQuery(); if(resultSet.next()){ System.out.println("登录成功"); System.out.println(sql); }else{ System.out.println("登录失败!请重试"); } }
