1、sql注入
package net.xdclass.web.dao;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.Statement;
public class JDBCtest {
public static void main(String [] args) throws Exception{
testInjectSQL();
}
private static void testInjectSQL()throws Exception{
//1 加载JDBC驱动程序
String driverName = "com.mysql.cj.jdbc.Driver";
Class.forName(driverName);
//2 建⽴立数据库连接Connection
String userName = "root";
String userPwd = "123456";
String dbName = "xd_class";
//协议:子协议://ip:端⼝口/数据库名称?参数1=值1&参数2=值2
String url1 = "jdbc:mysql://127.0.0.1:3306/"+dbName;
String url3 = "?userUnicode=true&characterEncoding=utf8&serverTimezone=GMT%2B8&useSSL=false";
String url = url1+url3;
Connection connection = DriverManager.getConnection(url,userName,userPwd);
//System.out.println("success");//检验数据库是否连接成功
String uname="jack";
String upwd="666' or 1=1 or'";
String sql= "select * from user where username='"+uname+"' and pwd='"+upwd+"'";
//3 创建执⾏行行SQL的语句句Statement
Statement statement = connection.createStatement();
//4 处理理执⾏行行结果ResultSet
ResultSet resultSet = statement.executeQuery(sql);
while (resultSet.next()){
System.out.println("用户名称 name="+resultSet.getString("username")+
" 联系方式 wechat+"+resultSet.getString("wechat"));
}
//5 释放连接资源
resultSet.close();
statement.close();
connection.close();
}
}
在url里修改参数就可能引起数据库信息泄露,甚至修改数据库内容
2、防范措施:Statement预编译
这样就把传入的值(or 1=1 or)当成值拼起来,而不是当成sql指令,提高了安全性。
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)