PrepareedStatement 可以防止SQL注入

  1. package com.kuang.lesson03;
  4. import com.kuang.lesson02.utils.JdbcUtils;
  5. import java.util.Date;
  6. import java.sql.*;
  8. public class TestInsert {
  9.     public static void main(String[] args) throws SQLException {
  10.         Connection conn = null;
  11.         PreparedStatement st =null;
  12.         try {
  13.             conn= JdbcUtils.getConnection();
  15.             //区别
  16.             //使用?占位符代替参数
  17.             String sql="insert into users(id,`NAME`,`PASSWORD`,`email`,`birthday`) values(?,?,?,?,?)";
  19.             st=conn.prepareStatement(sql);//预编译,先写sql,然后不执行
  21.             st.setInt(1,4);//id
  22.             st.setString(2,"qiangjiang");//name
  23.             st.setString(3,"123123");
  24.             st.setString(4,"2233445");
  25.             //注意点: sql.Date  数据库   java.sql.Date()
  26.             //       util.Date   Java     new Date().getTime  获得时间戳
  27.             st.setDate(5,new java.sql.Date(new Date().getTime()));
  28.             //执行
  29.             int i = st.executeUpdate();
  30.             if(i>0){
  31.                 System.out.println("插入成功");
  32.             }
  34.         } catch (SQLException e) {
  35.             e.printStackTrace();
  36.         }finally {
  37.             JdbcUtils.release(conn,st,null);
  38.         }
  41.     }
  42. }

其他的类似,只需要改sql语句和手动给参即可。
删除类似:
image.png
更新:
image.png
查询:

  1. package com.kuang.lesson03;
  3. import com.kuang.lesson02.utils.JdbcUtils;
  5. import javax.annotation.Resource;
  6. import java.sql.Connection;
  7. import java.sql.PreparedStatement;
  8. import java.sql.ResultSet;
  9. import java.sql.SQLException;
  11. public class TestSelect {
  12.     public static void main(String[] args) throws SQLException {
  13.         Connection conn=null;
  14.         PreparedStatement st=null;
  15.         ResultSet rs=null;
  17.         try {
  18.             conn=JdbcUtils.getConnection();
  20.             String sql="select * from users where id = ?";
  22.             st=conn.prepareStatement(sql);
  24.             st.setInt(1,1);
  26.             rs=st.executeQuery();
  27.             if(rs.next()){
  28.                 System.out.println(rs.getString("NAME"));
  29.             }
  31.         } catch (SQLException e) {
  32.             e.printStackTrace();
  33.         }finally {
  34.             JdbcUtils.release(conn,st,rs);
  35.         }
  37.     }
  38. }

如何解决sql注入问题?

package com.kuang.lesson03;

import com.kuang.lesson02.utils.JdbcUtils;

import java.sql.*;

public class SqlInjection {
    public static void main(String[] args) {
//    login("zhansan","123456");
    login("''or '1=1","123456");
}
    public static void login(String username,String password){
        Connection conn=null;
        PreparedStatement st=null;
        ResultSet rs=null;

        try {
            conn= JdbcUtils.getConnection();


            //SELECT * FROM users WHERE `name` = 'zhansan' AND `password` = '123456';
            String sql="SELECT * FROM users WHERE `NAME` = ? and `PASSWORD`=?";
            st=conn.prepareStatement(sql);

            st.setString(1,username);
            st.setString(2,password);
            rs=st.executeQuery();
            while (rs.next()){
                System.out.println(rs.getString("NAME"));
                System.out.println(rs.getString("password"));
                System.out.println("=====================================");
            }
        } catch (SQLException e) {
            e.printStackTrace();
        }finally {
            try {
                JdbcUtils.release(conn,st,rs);
            } catch (SQLException e) {
                e.printStackTrace();
            }
        }
    }
}

image.png
Preparedstatement 防止SQL注入的本质,把传递进来的参数当做字符
假设其中存在转义字符,比如说 ` 会被直按转义