JDBC简化写法和Sql攻击及解决方案

循环打印&＃xff1a;

package cn.tedu.jdbc;import com.mysql.jdbc.Driver;
import org.junit.Test;import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.Statement;public class Test2 {&＃64;Testpublic void get() throws Exception {Class.forName("com.mysql.jdbc.Driver");String url &＃61; "jdbc:mysql://localhost:3306/cgb2109?characterEncoding&＃61;utf8&serverTimezone&＃61;Asia/Shanghai&useSSL&＃61;false";Connection c &＃61; DriverManager.getConnection(url,"root","root");Statement s &＃61; c.createStatement();ResultSet r &＃61; s.executeQuery("select * from courses");while (r.next()){for (int i &＃61; 1; i < 4; i&＃43;&＃43;) {Object o &＃61; r.getObject(i);System.out.println(o);}// String a &＃61; r.getString(1);
// String s1 &＃61; r.getString(2);
// int a1 &＃61; r.getInt(3);
// System.out.println(a&＃43;s1&＃43;a1);}r.close();s.close();c.close();}
}

getObject 过去object对象&＃xff0c;遍历打印

while (r.next()){for (int i &＃61; 1; i < 4; i&＃43;&＃43;) {Object o &＃61; r.getObject(i);System.out.println(o);}}


注意事项&＃xff1a;

sql攻击&＃xff1a;
//1,本质上就是因为SQL中出现了特殊符号#,#号在SQL中是注释的意思(测试时使用固定的用户名jack’#)
//2,Statement传输器在执行SQL时遇到了SQL拼接,把#当做了注释用!!

解决方法&＃xff1a;
1.将传输器注释掉。
2. 改写sql语句&＃xff1a;String &＃61; “select * from user where name&＃61;? and pwd&＃61;?”;
3. //准备执行预编译的sql
PreparedStatement s &＃61; c.prepareStatement(sql);
4. //设置sql中的参数
s.setObject(1,username); //第一个&＃xff1f;设置值username
s.setObject(2,password); //第二个&＃xff1f;设置值password

完整代码


package cn.tedu.jdbc;import org.junit.Test;import java.sql.*;
import java.util.Arrays;
import java.util.Scanner;public class Test4 {public static void main(String[] args) throws Exception {Class.forName("com.mysql.jdbc.Driver");Connection c &＃61; DriverManager.getConnection("jdbc:mysql://localhost:3306/cgb2109","root","root");// Statement s &＃61; c.createStatement();System.out.println("请输入用户名");String username &＃61; new Scanner(System.in).next();System.out.println("请输入密码");String password &＃61; new Scanner(System.in).next();// ResultSet r &＃61; s.executeQuery("select * from user where name&＃61;&＃39;"&＃43;username&＃43;"&＃39; and pwd&＃61;&＃39;"&＃43;password&＃43;"&＃39;");/**sql骨架&＃xff1a;&＃xff1f;叫占位符*/String sql &＃61; "select * from user where name&＃61;? and pwd&＃61;?";//准备执行预编译的sqlPreparedStatement s &＃61; c.prepareStatement(sql);//设置sql中的参数s.setObject(1,username);//第一个&＃xff1f;设置值usernames.setObject(2,password);//第二个&＃xff1f;设置值passwordResultSet r &＃61; s.executeQuery();if (r.next()){System.out.println("登陆成功");}else{System.out.println("登录失败&＃xff0c;请重新登录&＃xff01;");}r.close();s.close();c.close();}
}