本文介绍了一种使用预编译语句防止SQL注入攻击的方法。通过示例代码展示了如何在用户注册和登录过程中利用PreparedStatement来避免潜在的安全风险。
解决注入问题
private voidbtnSubmitActionPerformed(java.awt.event.ActionEvent evt) {
StringuserName = txtName.getText();
Stringpassword = new String(txtPassword.getPassword());
Stringemail = txtEmail.getText();
Stringbirthday = txtBirthday.getText();
Connectioncon = null;
PreparedStatementps = null;
Stringsql = "insert into users(name,password,email,birthday)values(?,?,?,?) ";
try {
con= DBManager.getConnection();
ps= con.prepareStatement(sql);
ps.setString(1,userName);
ps.setString(2, password);
ps.setString(3,email);
ps.setDate(4,Date.valueOf(birthday));
inti =ps.executeUpdate();
if (userName!=null&&password!=null) {
JOptionPane.showMessageDialog(this,"注册成功!");
}else {
JOptionPane.showMessageDialog(this,"注册失败!");
}
}catch (SQLException e) {
// TODO Auto-generatedcatch block
e.printStackTrace();
}finally{
DBManager.dbClose1(ps, con);
}
}
private voidbtnLogonActionPerformed(java.awt.event.ActionEvent evt) {
newLogon().setVisible(true);
}
private voidbtnloginActionPerformed(java.awt.event.ActionEvent evt) {
StringuserName = txtName.getText();
Stringpassword = new String(txtPassword.getPassword());
Connectioncon = null;
//Statement st= null;
PreparedStatementps = null;
ResultSetrs = null;
//String sql= "select id from users where name='" + userName+ "'andpassword='" + password + "'";
Stringsql = "select id from users where name=? andpassword=?";
try {
con= DBManager.getConnection();
//st =con.createStatement();
ps= con.prepareStatement(sql);
ps.setString(1,userName);
ps.setString(2,password);
//rs =st.executeQuery(sql);
rs= ps.executeQuery();
if (rs.next()) {
JOptionPane.showMessageDialog(this,"登陆成功!");
}else {
JOptionPane.showMessageDialog(this,"登陆失败!");
}
}catch (SQLException e) {
e.printStackTrace();
}finally {
DBManager.dbClose(rs,ps, con);
}
}
扫一扫
239
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
