package Java_JDBC;
import java.sql.*;
import java.util.Scanner;
/**
* @Author quzheng
* @Date 2019/10/2 23:41
* @Version 1.0
* 防止注入攻击:使用 PreparedStatement接口预编译SQL语句
*/
public class JDBC_Avoid_Injection {
public static void main(String[] args) throws ClassNotFoundException, SQLException {
Class.forName("com.mysql.jdbc.Driver");
String url = "jdbc:mysql://192.168.8.14:3306/day22_JDBC";
String user = "root";
String password = "123456";
Connection con = DriverManager.getConnection(url,user,password);
Scanner sc = new Scanner(System.in);
String username = sc.nextLine();
String passwd = sc.nextLine();
String sql = "select * from users where username=? and PASSWORD=?";
//调用connection接口方法 PrePareStatement
// SQL语句中参数全部使用? 占位符
PreparedStatement pst = con.prepareStatement(sql);
// Statement st = con.createStatement();
//调用PreapareStatement接口实现类对象的set方法,设置
// 占位符的参数
pst.setObject(1,username);
pst.setObject(2,passwd);
// 调用方法,执行sql,参数没有sql
ResultSet rs = pst.executeQuery();
while (rs.next()){
System.out.println(rs.getString("username")+ " "+rs.getString("PASSWORD"));
}
rs.close();
pst.close();
con.close();
}
}
网友评论