什么是SQL注入
所谓 SQL 注入,就是通过把含有 SQL 语句片段的参数插入到需要执行的 SQL 语句中,
最终达到欺骗数据库服务器执行恶意操作的 SQL 命令。
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.Statement;
/**
* sql注入演示
*/
public class SqlInjectTest {
public void sqlInject(String username,int userage){
Connection connection = null;
Statement statement = null;
ResultSet resultSet = null;
try {
connection = JDBCUtils.getConnection();
statement = connection.createStatement();
String sql = "select * from users where username='"+username+"' and userage="+userage;
System.out.println(sql);
resultSet = statement.executeQuery(sql);
//处理结果集
while(resultSet.next()){
int userid = resultSet.getInt("userid");
String name = resultSet.getString("username");
int age = resultSet.getInt("userage");
System.out.println(userid+" "+name+" "+age);
}
}catch (Exception e){
e.printStackTrace();
}finally {
JDBCUtils.clossResource(resultSet,statement,connection);
}
}
public static void main(String[] args) {
SqlInjectTest sqlInjectTest = new SqlInjectTest();
sqlInjectTest.sqlInject("changfeng' or 1=1 -- ",29);
}
}
public void noSqlInject(String username,int userage){
Connection connection = null;
PreparedStatement preparedStatement = null;
ResultSet resultSet = null;
try{
connection = JDBCUtils.getConnection();
preparedStatement = connection.prepareStatement("select * from users where username=? and userage=?");
preparedStatement.setString(1,username);
preparedStatement.setInt(2,userage);
resultSet = preparedStatement.executeQuery();
while(resultSet.next()) {
int userid = resultSet.getInt("userid");
String name = resultSet.getString("username");
int age = resultSet.getInt("userage");
System.out.println(userid+" "+username+" "+userage);
}
}catch (Exception e){
e.printStackTrace();
}finally {
JDBCUtils.clossResource(resultSet,preparedStatement,connection);
}
}