jdbc防止sql注入学习记录
来源:互联网 发布:matlab矩阵符号运算 编辑:程序博客网 时间:2024/06/07 23:41
package cn.itcast.jdbc;import java.sql.Connection;import java.sql.PreparedStatement;import java.sql.ResultSet;import java.sql.SQLException;import java.sql.Statement;public class SQLInject {public static void main(String[] args) throws SQLException {read("wangwu");read("'or 1 or'");}// injection codes//static void read(String name) throws SQLException{//Connection conn = null;//Statement st = null;//ResultSet rs = null;////try {//conn = JdbcUtils.getConnection();//st = conn.createStatement();//rs = st.executeQuery("select id,name,birthday,money " +//"from user where name='"+name+"'");////while(rs.next()){//System.out.println(rs.getObject("id")+"\t"//+rs.getObject("name")+"\t"//+rs.getObject("money")+"\t"//+rs.getObject("birthday"));//}//} catch (Exception e) {//// TODO: handle exception//System.out.println("f");//}finally{//JdbcUtils.free(rs, st, conn);//}//}static void read(String name) throws SQLException{Connection conn = null;PreparedStatement ps = null;ResultSet rs = null;try {conn = JdbcUtils.getConnection();String sql = "select id,name,birthday,money from user where name=?";ps = conn.prepareStatement(sql);ps.setString(1, name);rs = ps.executeQuery();while(rs.next()){System.out.println(rs.getObject("id")+"\t"+rs.getObject("name")+"\t"+rs.getObject("money")+"\t"+rs.getObject("birthday"));}} catch (Exception e) {// TODO: handle exceptionSystem.out.println("f");}finally{JdbcUtils.free(rs, ps, conn);}}}
