mysql的安全漏洞的一种现象，就是利用转义字符把化没了，然后true起作用啦

mysql的安全漏洞的一种现象，就是利用转义字符把 ” ” 化没了，然后true 起作用啦

所以~ select * from stu where StuName = true~~~~~

代码举例：

//登录系统System.out.println(“请输入用户名:”);Scanner scanner = new Scanner(System.in);String name = scanner.nextLine();System.out.println(“请输入密码:”);String password = scanner.nextLine();//拼接成sql语句String sql = String.format(“select * from stu where StuName=”%s” and LoginPwd=”%s””,name,password);//连接服务器验证密码是否正确Connection cOnnection= JDBCUtil.GetConnection(); //自定义的JDBCUtil类封装了连接sql的驱动器，以及返回一个连接到自己的服务器Connection活动对象Statement statement = null;statement = connection.createStatement();//执行sql语句ResultSet resultSet = statement.executeQuery(sql);if(resultSet.next()){ System.out.println(“登录成功”); System.out.println(sql);}else{ System.out.println(“登录失败！请重试”);}

解决：使用预编译 PreparedStatement，创建参数化的sql语句

例如：String sql=”select * from stu where StuName = ? and LoginPwd = ?”;    //设置参数化sql语句，变量的值暂时用？代替

PreparedStatement preparement = connection.preparedStatement(sql);

preparement.setString(1, “易烊千玺”);　　//设置参数

preparement.setString(2,”123445″);

代码示例：

//登录系统 System.out.println(“请输入用户名:”); Scanner scanner = new Scanner(System.in); String name = scanner.nextLine(); System.out.println(“请输入密码:”); String password = scanner.nextLine(); //拼接成sql语句// String sql = String.format(“select * from stu where StuName=”%s” and LoginPwd=”%s””,name,password); String sql = “select * from stu where StuName=? and LoginPwd=?;”; //连接服务器验证密码是否正确 Connection cOnnection= JDBCUtil.GetConnection(); //自定义的JDBCUtil类封装了连接sql的驱动器，以及返回一个连接到自己的服务器Connection活动对象// Statement statement = null;// statement = connection.createStatement(); PreparedStatement preparedStatement = connection.prepareStatement(sql); //为每一个？赋值，下标从1开始 preparedStatement.setString(1, name); preparedStatement.setString(2,password); //执行sql语句// ResultSet resultSet = statement.executeQuery(sql); ResultSet resultSet = preparedStatement.executeQuery(); if(resultSet.next()){ System.out.println(“登录成功”); System.out.println(sql); }else{ System.out.println(“登录失败！请重试”); } }