JSP SQL注入

Login.JSP

<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme() + "://"
+ request.getServerName() + ":" + request.getServerPort()
+ path + "/";
%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<base href="<%=basePath%>">

<title>Login</title>

<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
<meta http-equiv="description" content="This is my page">
</head>

<body>
<form method="POST" action="servlet/Login">
用户名:
<input type="text" name="UserName" value="">
<BR>
密     码:
<input type="password" name="Pwd">
<BR>
<input type="submit">
</form>
</body>
</html>

Servlet:

package servlet;

import java.io.*;

import javax.servlet.*;
import javax.servlet.http.*;

import dao.*;

public class Login extends HttpServlet {

public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {

response.setContentType("text/html");
String strUserName = request.getParameter("UserName");
String strPwd = request.getParameter("Pwd");
String strLoginSuccess = "";
if (LoginDao.CheckUser(strUserName, strPwd)) {
strLoginSuccess = "登录成功";
} else {
strLoginSuccess = "登录失败";
}
// 使结果显示输出中文
response.setCharacterEncoding("UTF-8");
PrintWriter out = response.getWriter();
out.println("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">");
out.println("<HTML>");
out.println("  <meta charset='UTF-8'>");
out.println("  <HEAD><TITLE>登录结果</TITLE></HEAD>");
out.println("  <BODY>");
out.print("[" + strLoginSuccess + "]");
out.println("  </BODY>");
out.println("</HTML>");
out.flush();
out.close();
}
}

DAO:

package dao;

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class LoginDao {
static String url = "jdbc:sqlserver://127.0.0.1:1433;DataBaseName=HUAWEI";
static Connection con = null;
static Statement sta = null;

public static boolean CheckUser(String strUserName, String strPwd) {
boolean bRet = false;
try {
// 连接
Connc();

bRet = doLogin(strUserName, strPwd);
// 关闭
Close();

} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (SQLException e) {
e.printStackTrace();
}

return bRet;
}

static void Connc() throws ClassNotFoundException, SQLException {
Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver");
con = DriverManager.getConnection(url, "sa", "sa");
}

static void Close() throws SQLException {
if (con != null) {
con.close();
con = null;
}
}

static boolean doLogin(String myName, String pwd) {
String strPwdFromDb = "";
boolean bRet = false;

try {
sta = con.createStatement();

ResultSet ret = sta.executeQuery("SELECT Pwd FROM [USER] WHERE UserName = '"+ myName + "' AND Pwd = '" + pwd + "'");

if (ret.next()) {
bRet = true;
}

if (sta != null) {
sta.close();
sta = null;
}
return bRet;

} catch (SQLException e) {
e.printStackTrace();
}
return bRet;
}
}

数据库:"USER表"

UserName	Pwd
Apple	123
Boy	456
Cat	789
Dog	ABC
NULL	NULL

混乱SQL文:

1.Apple' or 1=1--
2.Apple' or 1=1; Update [USER] SET Pwd = '123';--