什么是SQL注入
所谓 SQL 注入,就是通过把含有 SQL 语句片段的参数插入到需要执行的 SQL 语句中,
最终达到欺骗数据库服务器执行恶意操作的 SQL 命令。
import java.sql.Connection;import java.sql.ResultSet;import java.sql.Statement;/*** sql注入演示*/public class SqlInjectTest {public void sqlInject(String username,int userage){Connection connection = null;Statement statement = null;ResultSet resultSet = null;try {connection = JDBCUtils.getConnection();statement = connection.createStatement();String sql = "select * from users where username='"+username+"' and userage="+userage;System.out.println(sql);resultSet = statement.executeQuery(sql);//处理结果集while(resultSet.next()){int userid = resultSet.getInt("userid");String name = resultSet.getString("username");int age = resultSet.getInt("userage");System.out.println(userid+" "+name+" "+age);}}catch (Exception e){e.printStackTrace();}finally {JDBCUtils.clossResource(resultSet,statement,connection);}}public static void main(String[] args) {SqlInjectTest sqlInjectTest = new SqlInjectTest();sqlInjectTest.sqlInject("changfeng' or 1=1 -- ",29);}}
public void noSqlInject(String username,int userage){Connection connection = null;PreparedStatement preparedStatement = null;ResultSet resultSet = null;try{connection = JDBCUtils.getConnection();preparedStatement = connection.prepareStatement("select * from users where username=? and userage=?");preparedStatement.setString(1,username);preparedStatement.setInt(2,userage);resultSet = preparedStatement.executeQuery();while(resultSet.next()) {int userid = resultSet.getInt("userid");String name = resultSet.getString("username");int age = resultSet.getInt("userage");System.out.println(userid+" "+username+" "+userage);}}catch (Exception e){e.printStackTrace();}finally {JDBCUtils.clossResource(resultSet,preparedStatement,connection);}}
若有收获,就点个赞吧
0 人点赞
