SQL 注入问题
select * from user where name='newboy' and password='a' or '1'='1'
登录成功,欢迎您:newboy
问题分析:
select * from user where name='newboy' and password='a' or '1'='1'
name='newboy' and password='a' 为假
'1'='1' 真
相当于
select * from user where true;
jdbcUtils工具类package com.company.web.web05.jdbcUtils;
import java.io.FileReader;
import java.net.URL;
import java.sql.*;
import java.util.Properties;
public class JDBCUtils {
private static String url = null;
private static String username = null;
private static String password = null;
private static String driver = null;
/**
* 静态代码块,随类创建而创建,且只会加载一次
*/
static {
try {
//获取src路径下的文件的方式--->ClassLoader 类加载器
//findResource protected URL findResource(String name)
//查找具有给定名称的资源。类加载器实现应该重写此方法,以指定从何处查找资源。
//参数:name - 资源名称
//1.创建properties对象
Properties pro = new Properties();
System.out.println("pro:"+pro);
//获取src路径下的文件的方式--->ClassLoader 类加载器
ClassLoader classLoader = JDBCUtils.class.getClassLoader();
System.out.println("classLoader:"+classLoader);
URL res = classLoader.getResource("jdbc.properties");
System.out.println("URL res:"+res);
String path = res.getPath();
System.out.println("path:"+path);
//2.加载properties文件
pro.load(new FileReader(path));
url = pro.getProperty("url");
username = pro.getProperty("username");
password = pro.getProperty("password");
driver = pro.getProperty("driver");
Class.forName(driver);
} catch (Exception e) {
e.printStackTrace();
}
}
/**
* 创建连接对象
* @return
* @throws SQLException
*/
public static Connection toConnection() throws SQLException {
return DriverManager.getConnection(url, username, password);
}
/**
* 释放资源
*
* @param state Statement 语句对象
* @param conn Connection 连接对象
*/
public static void close(Statement state, Connection conn) {
if (state != null) {
try {
state.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if (conn != null) {
try {
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
/**
* 释放资源
*
* @param rs ResultSet 结果集
* @param state Statement 语句对象 英[ˈsteɪtmənt] 语句
* @param conn Connection 连接对象
*/
public static void close(ResultSet rs, Statement state, Connection conn) {
if (rs != null) {
try {
rs.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if (state != null) {
try {
state.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if (conn != null) {
try {
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
}
|
|