SQL注入问题

sql存在漏洞，会被攻击导致数据泄露 SQL会被拼接 or

package com.kuang.lesson02;
import com.kuang.lesson02.utils.jdbcUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
public class SQL注入 {public static void main(String[] args) throws SQLException {//SQL注入login("sanjin","123456");
//        login("' or '1=1","123456");}public static void login(String name,String password) throws SQLException {Connection conn =null;Statement st = null;ResultSet rs =null;try {conn = jdbcUtils.getConnection();//获取连接st = conn.createStatement();//获取SQL执行对象String sql = "select * from users where `NAME`='"+ name +"'  AND `PASSWORD`='"+ password +"'" ;rs=st.executeQuery(sql);//查询完毕返回结果集while (rs.next()){System.out.println(rs.getString("NAME"));}jdbcUtils.release(conn,st,rs);} catch (Exception e) {e.printStackTrace();}finally {jdbcUtils.release(conn,st,rs);}}
}

PreparedStatement对象

PreparedStatement 可以防止SQL注入 ，效率更高。

1. 新增
2. 删除
3. 更新
4. 查询

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-g2bWtm8m-1609070543587)(C:\Users\王东梁\AppData\Roaming\Typora\typora-user-images\image-20201227170521886.png)]

package com.kuang.lesson03;
import com.kuang.lesson02.utils.jdbcUtils;import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
public class Test01 {public static void main(String[] args) throws SQLException {Connection connection= null;PreparedStatement pstm=null;try {connection = jdbcUtils.getConnection();//区别//使用问好占位符代替参数String sql = "insert into users(id,`NAME`) values(?,?)";pstm = connection.prepareStatement(sql);//预编译sql，先写sql然后不执行//手动赋值pstm.setInt(1,6);pstm.setString(2,"SANJIN");//执行int i = pstm.executeUpdate();if (i>0){System.out.println("插入成功");}} catch (Exception e) {e.printStackTrace();}finally {jdbcUtils.release(connection,pstm,null);}}
}

防止SQL注入本质，传递字符 带有“ ”，转义字符会被转义