防止SQL注入
import java.sql.*;
public class SQL {
public static void main(String[] args) { login("李四","123456");
login(" 'or '1=1"," 'or'1=1");
}
//登录业务
public static void login(String username,String password){
Connection connection = null; PreparedStatement statement = null; ResultSet resultSet = null;
try {
connection = jdbcUtils.getConnection();
//PrepareStatement防止SQL注入的本质,把传进来的参数当做字符
//假设其中存在转义字符,例如 ‘ 会被直接转义
String sql ="SELECT * FROM users WHERE `NAME`=? AND `PASSWORD`=?"; statement = connection.prepareStatement(sql); statement.setString(1,username); statement.setString(2,password);
resultSet = statement.executeQuery(); while (resultSet.next()){
System.out.println(resultSet.getString("NAME")); System.out.println(resultSet.getString("PASSWORD"));
}
} catch (SQLException e){
e.printStackTrace();
}finally { jdbcUtils.release(connection,statement,resultSet);}
}
}