PreparedStatement之安全问题

import java.sql.Connection;

import java.sql.PreparedStatement;

import java.sql.ResultSet;

import java.sql.SQLException;

import java.sql.Statement;

import org.junit.Test;

public class TestByStatement {

private String name="ericdfhfhdfgd' or 1=1 -- ";

private String password="123456dfgdgd";

/*private String name="eric";

private String password="123456";*/

//@SuppressWarnings("null")

@Test

public void testStatement(){

Connection conn=null;

Statement stmt=null;

ResultSet rs=null;

conn=JDBCUtil.getConncetion();

//String sql="select * from users where name='eric' and password='123456'";

String sql="select * from users where name='"+name+"' and password='"+password+"'";

try {

stmt=conn.createStatement();

rs=stmt.executeQuery(sql);

if(rs.next()){

System.out.println("sucess login");

}else{

System.out.println("login fails");

}

} catch (SQLException e) {

// TODO Auto-generated catch block

e.printStackTrace();

}finally{

JDBCUtil.close(conn, stmt, rs);

}

}

@Test

public void testPrepareStatement(){

Connection conn=null;

PreparedStatement stmt=null;

ResultSet rs=null;

conn=JDBCUtil.getConncetion();

//String sql="select * from users where name='eric' and password='123456'";

String sql="select * from users where name=? and password=?";

try {

stmt=conn.prepareStatement(sql);

stmt.setString(1,name);

stmt.setString(2,password);

rs=stmt.executeQuery();

if(rs.next()){

System.out.println("sucess login");

}else{

System.out.println("login fails");

}

} catch (SQLException e) {

// TODO Auto-generated catch block

e.printStackTrace();

}finally{

JDBCUtil.close(conn, stmt, rs);

}

}

}