對比 Statement 和 PrepareStatement 使用 PrepareStatement 避免SQL注入
Statement
一:查詢,SQL注入將導致條件過濾無效,直接暴露所有信息。
Connection connection = JDBCUtils.getCon(); //獲取連接,省略了連接的步驟
String stuNo = "123456789' OR '1' = '1";
//由於一等於一的原因,此條SQL語句執行後,就是永遠爲真的情況,會查數據庫中所有的字段。
String sql = "SELECT COUNT(*) FROM tb_stu WHERE stu_no ='"+stuNo+"'";
//可能會造成SQL注入
Statement statement = connection.createStatement();//建立連接
ResultSet resultSet = statement.executeQuery(sql);//執行SQL語句
System.out.println("--------statement---------");
while(resultSet.next()){//此處將遍歷出數據庫第一列的所有信息
System.out.println(resultSet.getString(1));
}
二:SQL注入刪除操作,將造成數據庫所有數據消失。/**
* SQL注入現象造成表數據被清空
* @throws SQLException
*/
@Test
public void test1() throws SQLException{
Connection connection = JDBCUtils.getCon();
Statement statement = connection.createStatement();
//SQL注入現象
// 123456' or '1' = '1
//select * from tb_stu where stu_no = '12345' or '1' = '1';
String no = "12345' or '1' = '1";
//加上轉義字符可以避免SQL注入
//String no = "123456789";
//no.replace("'", "\\'");
String sql = "delete from tb_stu where stu_no = '"+no+"'";
System.out.println(sql);
statement.execute(sql);
}
PrepareStatement 使用,有效防止SQL注入
一:查詢
//獲取preparedStatement對象
String sql2 = "SELECT COUNT(*) FROM tb_stu WHERE stu_no = ?";
//將SQL語句放入連接中,等待執行
PreparedStatement preparedStatement = connection.prepareStatement(sql2);
preparedStatement.setString(1, stuNo);//sql語句中的第一問號中填入的值
ResultSet resultSet2 = preparedStatement.executeQuery();//真正執行SQL語句
System.out.println("--------preparedStatement---------");
while(resultSet2.next()){
System.out.println(resultSet2.getString(1));
}
二:查詢二
public void test3() throws SQLException{
Connection connection = JDBCUtils.getCon();
String sql = "UPDATE tb_stu SET stu_head = ? WHERE stu_id >= ? and stu_id < ?";
PreparedStatement preparedStatement = connection.prepareStatement(sql);
//第一個問號處替換爲 1-5的頭像
preparedStatement.setString(1, "1-5的頭像");
//第二個問號出替換爲 1
preparedStatement.setInt(2, 1);
//第三個問號處替換爲 5
preparedStatement.setInt(3, 5);
System.out.println("影響了:"+preparedStatement.executeUpdate());
}
三:批處理
/**
* 測試批處理
* Batch
* addBatch()
* executeBatch()
* @throws SQLException
*/
@Test
public void test4() throws SQLException{
Connection connection = JDBCUtils.getCon();
String sql = "UPDATE tb_stu SET stu_head = ? WHERE stu_id >= ? and stu_id < ?";
System.out.println("-------------------");
PreparedStatement preparedStatement = connection.prepareStatement(sql);
preparedStatement.setString(1, "1-5的頭像2");
preparedStatement.setInt(2, 1);
preparedStatement.setInt(3, 5);
preparedStatement.addBatch();
System.out.println("-------------------");
preparedStatement.setString(1, "5-10的頭像");
preparedStatement.setInt(2, 5);
preparedStatement.setInt(3, 10);
preparedStatement.addBatch();
System.out.println("-------------------");
preparedStatement.setString(1, "10-20的頭像");
preparedStatement.setInt(2, 10);
preparedStatement.setInt(3, 20);
preparedStatement.addBatch();
//addBatch()方法是將查詢的方法放入隊列中,等待執行方法executeBatch()的執行,
//只有當方法executeBatch()執行後,更新操作纔會生效
System.out.println("影響了:"+preparedStatement.executeBatch());
}