PackageCom.swift;Importjava.sql.Connection;ImportJava.sql.DriverManager;Importjava.sql.PreparedStatement;ImportJava.sql.ResultSet;Importjava.sql.SQLException; Public classloginjdbc$preparedstatement { Public Static voidMain (string[] args) {User Userzhangsan=NewUser ("Swift", "123456 ' or ' 1 ' = ' 1"); if(Login (Userzhangsan)) {System.out.println ("The account password is correct and the login is successful"); }Else{System.out.println ("Login Failed"); } } Private Static BooleanLogin (User userzhangsan) {Connection conn=NULL; PreparedStatement PS=NULL; ResultSet RS=NULL; Try { //1, Load driveClass.forName ("Com.mysql.jdbc.Driver"); } Catch(ClassNotFoundException e) {e.printstacktrace (); } Try { //2, link database, using Com.mysql.jdbc.Connection package will be errorConn=drivermanager.getconnection ("Jdbc:mysql://localhost:3306/sw_database?user=root&password=root"); //3. Create a connection statementPs=conn.preparestatement ("select * from Sw_user where username= '" +userzhangsan.getusername () + "' and password= '" + Userzhangsan.getpassword () + "'"); //4. Execute SQL statement to get result setrs=Ps.executequery (); if(Rs.next ()) {return true; } } Catch(SQLException e) {e.printstacktrace (); }finally { //Close Result set Try { if(rs!=NULL) {rs.close (); } } Catch(SQLException e) {//TODO auto-generated Catch blockE.printstacktrace (); } //closing a connection statement Try { if(ps!=NULL) {ps.close (); } } Catch(SQLException e) {//TODO auto-generated Catch blockE.printstacktrace (); } //To close a database connection Try { if(conn!=NULL) {conn.close (); } } Catch(SQLException e) {//TODO auto-generated Catch blockE.printstacktrace (); } } return false; }}
The SQL statements in the above code are concatenated by string, although PreparedStatement has been used, but still does not prevent injection, because the string connection can be added ' or ' 1 ' = ' 1
Ps=conn.preparestatement ("select * from Sw_user where username= '" +userzhangsan.getusername () + "' and password= '" + Userzhangsan.getpassword () + "'");
Change the above SQL statement to select * from Sw_user where username=? and password=?
There is no string connection, password plus other characters SQL cannot execute
So the code changes as follows:
PackageCom.swift;Importjava.sql.Connection;ImportJava.sql.DriverManager;Importjava.sql.PreparedStatement;ImportJava.sql.ResultSet;Importjava.sql.SQLException; Public classLoginjdbc$preparedstatement2 { Public Static voidMain (string[] args) {User userswift=NewUser ("Zhangsan", "123456"); if(Login (userswift)) {System.out.println ("The account password is correct and the login is successful"); }Else{System.out.println ("Login Failed"); } } Private Static BooleanLogin (User userswift) {Connection conn=NULL; PreparedStatement PS=NULL; ResultSet RS=NULL; Try { //1, Load driveClass.forName ("Com.mysql.jdbc.Driver"); } Catch(ClassNotFoundException e) {e.printstacktrace (); } Try { //2, link database, using Com.mysql.jdbc.Connection package will be errorConn=drivermanager.getconnection ("Jdbc:mysql://localhost:3306/sw_database?user=root&password=root"); //3. Create a connection statementPs=conn.preparestatement ("select * from Sw_user where username=?") and password=? "); Ps.setstring (1, Userswift.getusername ()); Ps.setstring (2, Userswift.getpassword ()); //4. Execute SQL statement to get result setrs=Ps.executequery (); if(Rs.next ()) {return true; } } Catch(SQLException e) {e.printstacktrace (); }finally { //Close Result set Try { if(rs!=NULL) {rs.close (); } } Catch(SQLException e) {//TODO auto-generated Catch blockE.printstacktrace (); } //closing a connection statement Try { if(ps!=NULL) {ps.close (); } } Catch(SQLException e) {//TODO auto-generated Catch blockE.printstacktrace (); } //To close a database connection Try { if(conn!=NULL) {conn.close (); } } Catch(SQLException e) {//TODO auto-generated Catch blockE.printstacktrace (); } } return false; }}
How to prevent SQL injection method from adding the MySQL database authentication password ' or ' 1 ' = ' 1 in Java to preparedstatement the universal password