package cn.itcast.jdbc;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
public class SQLInject {
/**
* @param args
* @throws SQLException
*/
public static void main(String[] args) throws SQLException {
read("' or 1 or'");
}
static void read1(String name) throws SQLException {
Connection conn = null;
Statement st = null;
ResultSet rs = null;
try {
// 2.建立连接
conn = JdbcUtils.getConnection();
// conn = JdbcUtilsSing.getInstance().getConnection();
// 3.创建语句
String sql = "select id, name, money, birthday from user where name='" //不安全,当name= "' or 1 or'"时,会有sql注入问题
+ name + "'";
st = conn.createStatement();
// 4.执行语句
rs = st.executeQuery(sql);
// 5.处理结果
while (rs.next()) {
// System.out.println(rs.getObject("id") + "\t"
// + rs.getObject("name") + "\t"
// + rs.getObject("birthday") + "\t"
// + rs.getObject("money"));
}
} finally {
JdbcUtils.free(rs, st, conn);
}
}
}