JDBC-防备sql注入破绽
运用预编译可有用防备sql的注入破绽。
缘由:在statement中不能够有用的防备sql的注入破绽,在于用户传入参数的时刻可能会传入一些特别字符,比方单引号' ' ,或者是-- 这类会影响到我们的sql语句.
所以运用预编译中的占位符,也就是?,能够有用的处置惩罚这一题目.
public class Prepared {
@Test
public void papa(){
Connection conn = null;
PreparedStatement pstmt = null;
ResultSet rs = null;
try{
//注册驱动
// Class.forName("com.mysql.jdbc.Driver");
//竖立衔接
// conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/user","root","dumy");
conn =JDBCUtils.getConnection();
//编写sql代码
//String sql = "select * from administer where id = ?";
String sql = "select * from administer where username = ? and password =?";
//预编译
pstmt = conn.prepareStatement(sql);
//给? 赋值
pstmt.setString(1, "ddd");
pstmt.setString(2, "123");
rs= pstmt.executeQuery();
while(rs.next()){
System.out.println("登录胜利");
}
}catch(Exception e){
e.printStackTrace();
}finally{
JDBCUtils.release(pstmt, conn, rs);
}
}
}
以上就是jdbc怎样防备sql注入?的细致内容,更多请关注ki4网别的相干文章!
