1. package JDBC;
    3. import java.sql.Connection;
    4. import java.sql.DriverManager;
    5. import java.sql.ResultSet;
    6. import java.sql.Statement;
    8. public class login {
    9.     public String login(String aname,String apass){
    10.         String result = "用户名或密码错误";
    11.         String classname = "com.mysql.jdbc.Driver";
    12.         String url = "";
    13.         String username = "";
    14.         String password = "";
    15.         try {
    16.             Class.forName(classname);
    17.             Connection conn = DriverManager.getConnection(url, username, password);
    18.             Statement stat = conn.createStatement();
    19.             String sql = "select * from atm where aname='"+aname+"'and apass='"+apass+"'";
    20.             ResultSet rs = stat.executeQuery(sql);
    21.             if (rs.next()){
    22.                 result = "登陆成功";
    23.             }
    24.             System.out.println("执行成功");
    25.             stat.close();
    26.             conn.close();
    27.         } catch (Exception e) {
    28.             e.printStackTrace();
    29.         }
    30.         return result;
    31.     }
    32. }
    1. package JDBC;
    3. import java.util.Scanner;
    5. public class Testlogin {
    6.     public static void main(String[] args) {
    7.         Scanner input = new Scanner(System.in);
    8.         System.out.println("请输入账号:");
    9.         String aname = input.nextLine();
    10.         System.out.println("请输入密码:");
    11.         String apass = input.nextLine();
    12.         login lg = new login();
    13.         String rs = lg.login(aname, apass);
    14.         if (rs.equals("登陆成功")){
    15.             System.out.println("欢迎登陆银行系统");
    16.         }else{
    17.             System.out.println(rs);
    18.         }
    19.     }
    20. }

    image.png
    image.png
    在控制台执行命令可以发现使用xxx’ or ‘1’ = ‘1 也可以成功的登陆———>SQL注入
    什么是SQL注入
    通过SQL命令,拼接其他的字符串,让其他的字符串来改变原有SQL语句的执行,最终达到欺骗服务器的效果,里面拼接的字符符合SQL语法(被SQL语法认可)
    解决办法
    1.利用PreparedStatement

    1. package JDBC;
    3. import java.sql.*;
    5. public class login {
    6.     public String login(String aname,String apass){
    7.         String result = "用户名或密码错误";
    8.         String classname = "com.mysql.jdbc.Driver";
    9.         String url = "jdbc:mysql://bj-cdb-547s28hs.sql.tencentcdb.com:60439/test?useSSL=true";
    10.         String username = "root";
    11.         String password = "qq2653650997";
    12.         String sql = "select * from atm where aname=? and apass = ?";
    13.         try {
    14.             Class.forName(classname);
    15.             Connection conn = DriverManager.getConnection(url, username, password);
    16.             PreparedStatement pstat = conn.prepareStatement(sql);
    17.             // 给问号赋值
    18.             pstat.setString(1,aname);
    19.             pstat.setString(2,apass);
    21.             ResultSet rs = pstat.executeQuery();
    22.             if (rs.next()){
    23.                 return "登陆成功";
    24.             }
    25.             System.out.println("执行成功");
    26.             pstat.close();
    27.             conn.close();
    28.         } catch (Exception e) {
    29.             e.printStackTrace();
    30.         }
    31.         return result;
    32.     }
    33. }