1. Using a precompiled statement set, it has the ability to handle SQL injection, as long as it uses its SetString method to pass values:
String sql= "SELECT * from Users where username=? and password=?; PreparedStatement prestate = conn.preparestatement (sql); Prestate.setstring (1, userName); Prestate.setstring (2, password); = Prestate.executequery ();
2. The regular expression will contain a single quotation mark ('), a semicolon (;) and comment symbols (--) are replaced by statements to prevent SQL injection
Public Static string SQL (String str) { return str.replaceall (". *" ([';] +| (--)+).*", " "); } UserName=SQL(userName); Password=SQL(password); String SQL= "SELECT * from Users where username= '" +username+ "' and password= '" +password+ "'" = conn.createstatement (); = Sta.executequery (SQL);
Java backend methods for preventing SQL injection