使用preparedStatement预编译解决SQL注入
/**
* 执行登陆
*
* @return boolean
* @throws Exception ?
*/
public boolean login() throws Exception {
Connection connection = MyDatabase.getConn();
PreparedStatement preparedStatement = connection.prepareStatement("SELECT * FROM user WHERE signin_name=?");
preparedStatement.setString(1, signinName);
ResultSet resultSet = preparedStatement.executeQuery();
String pwd = "";
while (resultSet.next()) {
pwd = resultSet.getString("pwd");
}
MyDatabase.kill(connection, preparedStatement, resultSet);
return pwd.equals(MyString.Md5(this.pwd));
}
网友评论