SQL注入问题
package space.urbeautiful.utils; import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; public class Login { public static void main(String[] args) { log("' or ' 1=1","' or '1=1"); } public static void log(String username,String password){ Connection conn = null; Statement stat = null; ResultSet rs = null; try { conn = JdbcUtils.getConn(); stat = conn.createStatement(); String sql = "select * from userlogin where uname = '"+username+"' and password = '"+password+"'"; rs = stat.executeQuery(sql); while(rs.next()){ System.out.println(rs.getString("uname")); System.out.println(rs.getString("password")); } } catch (SQLException e) { e.printStackTrace(); }finally{ JdbcUtils.release(conn,stat,rs); } } }
解决的办法就是不适用Statement 使用PrepareStatement