1、 使用import java.sql.PreparedStatement;
2、先将sql里用户名和密码分别用?占位,先预编译将sql放入PreparedStatement的对象中。
然后用调用该对象的set方法将用户名和密码设置,接着执行。
3、这样做的话如果密码被注入为' or '1' = '1,在设置密码时会将'转义为\';即:
select * from tb_user where username ='lisi' and password = '\' or \'1\' = \'1'由此or后面的语句为false,注入失败,登录不成功,避免了sql注入。
import org.junit.jupiter.api.Test;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
public class JDBC_UserLogin_SolveSqlZhuRu {
@Test
public void testSolveSqlZhuRu() throws Exception {
/*jdbc驱动*/
Class.forName("com.mysql.jdbc.Driver");
String url = "jdbc:mysql://127.0.0.1:3306/db1?useSSL=false&useServerPrepStmts=true";
String username = "root";
String password = "root";/*获取数据库连接*/
Connection connection = DriverManager.getConnection(url,username,password);
/*模拟接收用户名和密码*/
String name = "lisi";
String pwd = "' or '1' = '1";
/*定义sql语句*/
String sql = "select * from tb_user where username = ? and password = ?";
/*获取PreparedStatement对象,预编译,提前将sql放入*/
PreparedStatement preparedStatement = connection.prepareStatement(sql);
/*设置?的值*/
preparedStatement.setString(1,name);
preparedStatement.setString(2,pwd);
/*执行sql*/
ResultSet resultSet = preparedStatement.executeQuery();
if (resultSet.next()){
System.out.println("登录成功");
}else{
System.out.println("登录失败");
}
/*关闭服务,释放资源*/
resultSet.close();
preparedStatement.close();
connection.close();
}
}
