首页 > 其他分享 >2022-08-19 第二小组 张di

2022-08-19 第二小组 张di

时间:2022-08-19 10:45:24浏览次数:66  
标签:username di 19 08 System sql println conn pstmt

JDBC

Statement的不足

1.大量的拼接,可读性低

 2.sql注入

Connection conn = null;
        Statement stmt = null;
        ResultSet re = null;
        conn = GetConnection.test();
        stmt = conn.createStatement();
        Scanner sc = new Scanner(System.in);
        System.out.println("请输入用户名");
        String username = sc.next();
        System.out.println("请输入用户密码");
        String password = sc.next();
        String sql = "select username,password from user where username = '"
                + username + "' and password = " + password + "'";
        re = stmt.executeQuery(sql);
        if(re.next()){
            System.out.println("登录成功" + username);
        }else {
            System.out.println("error");
        }

 

sql注入

通过字符串拼接,可以的一个恒等的sql语句,可以跳过某些判断

select * from user where username = 'zxcvzxcvzxcv' and password = 'b' or '1' = '1'

 

PreparedStatement

1.通过conn获取的对象

2.是Statement接口的子接口

3.sql语句中可以传参,用?占位,通过setXXX方法给?赋值

4.提高性能

5.可以避免sql注入

        Connection conn = null;
        PreparedStatement pstmt = null;

        String sql = "update teacher set name = ? where id =?";
        //预编译
        conn = GetConnection.test();
        pstmt = conn.prepareStatement(sql);
        //给占位符赋值,根据位置
        pstmt.setString(1,"jj");
        pstmt.setInt(2,6);

        //执行sql
        int i = pstmt.executeUpdate();
        System.out.println(i);
        conn.close();
        pstmt.close();

 

标签:username,di,19,08,System,sql,println,conn,pstmt
From: https://www.cnblogs.com/shenmimao/p/16601220.html

相关文章

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99