JDBC中PreparedStatement如何防sql攻击
2017-01-12 20:11
183 查看
需要用到JUnit测试import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import org.junit.Test;
public class Demo1 {
public static void main(String[] args) {
// TODO Auto-generated method stub
}
/**
* 登录 使用username和password去查询数据库 若查出结果集,说明正确,返回true 否则返回false 不能放防止sql攻击
*
* @param username
* @param password
* @return
* @throws ClassNotFoundException
* @throws SQLException
*/
public boolean login1(String username, String password) throws ClassNotFoundException, SQLException {
String driverClassName = "com.mysql.jdbc.Driver";
String url = "jdbc:mysql://localhost:3306/mydb3";
String mysqlUsername = "root";
String mysqlPassword = "050818";
Class.forName(driverClassName);
Connection conn = DriverManager.getConnection(url, mysqlUsername, mysqlPassword);
Statement stmt = conn.createStatement();
String sql = "select * from t_user where username='" + username + "' and password='" + password + "'";
System.out.println(sql);
ResultSet rs = stmt.executeQuery(sql);
return rs.next();
}
@Test
public void fun1() throws Exception {
/**
* sql攻击
*/
String username = "a' or 'a'='a";
String password = "a' or 'a'='a";
boolean bool = login1(username, password);
System.out.println(bool);
}
/**
* 使用preparedStatement
*
* @param username
* @param password
* @return
* @throws ClassNotFoundException
* @throws SQLException
*/
public boolean login2(String username, String password) throws Exception {
String driverClassName = "com.mysql.jdbc.Driver";
String url = "jdbc:mysql://localhost:3306/mydb3";
String mysqlUsername = "root";
String mysqlPassword = "050818";
Class.forName(driverClassName);
Connection conn = DriverManager.getConnection(url, mysqlUsername, mysqlPassword);
/**
* 一、得到PreparedStatement对象 1.给出sql模板:所有的参数使用?来代替
* 2.调用Connection方法,得到PreparedStatement
*/
String sql = "select * from t_user where username=? and password=?";
PreparedStatement pstmt = conn.prepareStatement(sql);
/**
* 二、为参数赋值
*/
pstmt.setString(1, username); // 给第一个问号赋值
pstmt.setString(2, password); // 给第二个问号赋值
ResultSet rs = pstmt.executeQuery(); // 不需要参数,已经有sql语句了
return rs.next();
}
@Test
public void fun2() throws Exception {
/**
* sql攻击
*/
String username = "zhangsan";
String password = "050818";
// String username = "a' or 'a'='a";
// String password = "a' or 'a'='a";
boolean bool = login2(username, password);
System.out.println(bool);
}
}
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import org.junit.Test;
public class Demo1 {
public static void main(String[] args) {
// TODO Auto-generated method stub
}
/**
* 登录 使用username和password去查询数据库 若查出结果集,说明正确,返回true 否则返回false 不能放防止sql攻击
*
* @param username
* @param password
* @return
* @throws ClassNotFoundException
* @throws SQLException
*/
public boolean login1(String username, String password) throws ClassNotFoundException, SQLException {
String driverClassName = "com.mysql.jdbc.Driver";
String url = "jdbc:mysql://localhost:3306/mydb3";
String mysqlUsername = "root";
String mysqlPassword = "050818";
Class.forName(driverClassName);
Connection conn = DriverManager.getConnection(url, mysqlUsername, mysqlPassword);
Statement stmt = conn.createStatement();
String sql = "select * from t_user where username='" + username + "' and password='" + password + "'";
System.out.println(sql);
ResultSet rs = stmt.executeQuery(sql);
return rs.next();
}
@Test
public void fun1() throws Exception {
/**
* sql攻击
*/
String username = "a' or 'a'='a";
String password = "a' or 'a'='a";
boolean bool = login1(username, password);
System.out.println(bool);
}
/**
* 使用preparedStatement
*
* @param username
* @param password
* @return
* @throws ClassNotFoundException
* @throws SQLException
*/
public boolean login2(String username, String password) throws Exception {
String driverClassName = "com.mysql.jdbc.Driver";
String url = "jdbc:mysql://localhost:3306/mydb3";
String mysqlUsername = "root";
String mysqlPassword = "050818";
Class.forName(driverClassName);
Connection conn = DriverManager.getConnection(url, mysqlUsername, mysqlPassword);
/**
* 一、得到PreparedStatement对象 1.给出sql模板:所有的参数使用?来代替
* 2.调用Connection方法,得到PreparedStatement
*/
String sql = "select * from t_user where username=? and password=?";
PreparedStatement pstmt = conn.prepareStatement(sql);
/**
* 二、为参数赋值
*/
pstmt.setString(1, username); // 给第一个问号赋值
pstmt.setString(2, password); // 给第二个问号赋值
ResultSet rs = pstmt.executeQuery(); // 不需要参数,已经有sql语句了
return rs.next();
}
@Test
public void fun2() throws Exception {
/**
* sql攻击
*/
String username = "zhangsan";
String password = "050818";
// String username = "a' or 'a'='a";
// String password = "a' or 'a'='a";
boolean bool = login2(username, password);
System.out.println(bool);
}
}
相关文章推荐
- 如何防止 PHP SQL 注入攻击
- 如何防止 PHP SQL 注入攻击
- 如何利用JDBC发送SQL语句,并取回多个结果集
- JDBC笔记(二)SQL攻击
- SQL注入专题--整理帖 && like 语句拼sql 如何防止注入攻击。
- JDBC编程之预编译SQL与防注入式攻击以及PreparedStatement的使用教程
- 如何保护我的站点免受SQL入攻击——常见网站攻击手段原理与防御
- 【数据库-Azure SQL Database】JDBC 如何连接 SQL Azure 数据库
- JDBC中如何获取java.sql.Array的值
- JDBC中如何获取java.sql.Array的值
- Jmeter如何配置JDBC(postgres)并执行SQL
- JDBC-PreparedStatement-防止SQL攻击
- JDBC编程之预编译SQL与防注入式攻击以及PreparedStatement的使用教程
- JDBC 如何连接SQL
- (非原)SQL注入专题--整理帖 && like 语句拼sql 如何防止注入攻击。
- Jmeter如何配置JDBC(postgres)并执行SQL
- [SQL]:如何简化JDBC代码
- jmeter jdbc request 如何运行多个sql
- 预防SQL注射攻击(译自MSDN)
- 如何在.cs中执行*.sql文件,来创建数据库