package cn.itcast.jdbc;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
public class SQLInject {
public static void main(String[] args) throws SQLException {
read("wangwu");
read("'or 1 or'");
}
// injection codes
// static void read(String name) throws SQLException{
// Connection conn = null;
// Statement st = null;
// ResultSet rs = null;
//
// try {
// conn = JdbcUtils.getConnection();
// st = conn.createStatement();
// rs = st.executeQuery("select id,name,birthday,money " +
// "from user where name='"+name+"'");
//
// while(rs.next()){
// System.out.println(rs.getObject("id")+"\t"
// +rs.getObject("name")+"\t"
// +rs.getObject("money")+"\t"
// +rs.getObject("birthday"));
// }
// } catch (Exception e) {
// // TODO: handle exception
// System.out.println("f");
// }finally{
// JdbcUtils.free(rs, st, conn);
// }
// }
static void read(String name) throws SQLException{
Connection conn = null;
PreparedStatement ps = null;
ResultSet rs = null;
try {
conn = JdbcUtils.getConnection();
String sql = "select id,name,birthday,money from user where name=?";
ps = conn.prepareStatement(sql);
ps.setString(1, name);
rs = ps.executeQuery();
while(rs.next()){
System.out.println(rs.getObject("id")+"\t"
+rs.getObject("name")+"\t"
+rs.getObject("money")+"\t"
+rs.getObject("birthday"));
}
} catch (Exception e) {
// TODO: handle exception
System.out.println("f");
}finally{
JdbcUtils.free(rs, ps, conn);
}
}
}
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
