在用户名或者密码框中输入“11‘ or ’1‘ = '1”时,生成的sql语句将为“selec * from userInfo where name = '11' or '1' = '1' and pwd = '11' or '1' = '1'”;该语句永远为真。为了防止sql语句的注入,提高程序的安全性。需要替换危险字符。
Java代码段:
public class Checkstr {
public String dostring(String str){
str=str.replaceAll(";","");
str=str.replaceAll("&","&");
str=str.replaceAll("<","<");
str=str.replaceAll(">",">");
str=str.replaceAll("'","");
str=str.replaceAll("--","");
str=str.replaceAll("/","");
str=str.replaceAll("%","");
return str;
}
}