您的位置：首页 > 数据库

jdbc防止sql注入学习记录

2012-02-09 23:37 411 查看

package cn.itcast.jdbc;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class SQLInject {
public static void main(String[] args) throws SQLException {
read("wangwu");
read("'or 1 or'");
}
//  injection codes
//	static void read(St
4000
ring name) throws SQLException{
//		Connection conn = null;
//		Statement st = null;
//		ResultSet rs = null;
//
//		try {
//			conn = JdbcUtils.getConnection();
//			st = conn.createStatement();
//			rs = st.executeQuery("select id,name,birthday,money " +
//					"from user where name='"+name+"'");
//
//			while(rs.next()){
//				System.out.println(rs.getObject("id")+"\t"
//						+rs.getObject("name")+"\t"
//						+rs.getObject("money")+"\t"
//						+rs.getObject("birthday"));
//			}
//		} catch (Exception e) {
//			// TODO: handle exception
//			System.out.println("f");
//		}finally{
//			JdbcUtils.free(rs, st, conn);
//		}
//	}

static void read(String name) throws SQLException{
Connection conn = null;
PreparedStatement ps = null;
ResultSet rs = null;

try {
conn = JdbcUtils.getConnection();
String sql = "select id,name,birthday,money from user where name=?";
ps = conn.prepareStatement(sql);
ps.setString(1, name);
rs = ps.executeQuery();

while(rs.next()){
System.out.println(rs.getObject("id")+"\t"
+rs.getObject("name")+"\t"
+rs.getObject("money")+"\t"
+rs.getObject("birthday"));
}
} catch (Exception e) {
// TODO: handle exception
System.out.println("f");
}finally{
JdbcUtils.free(rs, ps, conn);
}
}
}

内容来自用户分享和网络整理，不保证内容的准确性，如有侵权内容，可联系管理员处理

标签： sql jdbc exception string user class

相关文章推荐

新的分享

章节导航