java登陆界面中关于JDBC的一个问题

      最近用java写了一个登陆的小界面,先把代码贴出来然后说说其中的问题。

import java.awt.Container;
import java.awt.Toolkit;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;


import javax.swing.JButton;
import javax.swing.JFrame;
import javax.swing.JLabel;
import javax.swing.JOptionPane;
import javax.swing.JPasswordField;
import javax.swing.JTextField;


public class Log extends  JFrame {


public Log(){
init();
}
private JLabel labname;
private JLabel labpass;
private JTextField jtf;
private JPasswordField jpf;
private JButton btnok;
private JButton btncancel;

private void init() {
//点击关闭按钮退出程序
this.setDefaultCloseOperation(EXIT_ON_CLOSE);
//不允最大化和改变尺寸
this.setResizable(false);
this.setTitle("登陆界面");
this.setLayout(null);
this.setSize(273,170);
//让界面处于屏幕中心
int width = (int)Toolkit.getDefaultToolkit().getScreenSize().getWidth();
int height = (int)Toolkit.getDefaultToolkit().getScreenSize().getHeight();
this.setLocation(width/2 - this.getWidth()/2,
            height/2 - this.getHeight()/2);

Container con = this.getContentPane();
labname = new JLabel("用户名:");
labpass = new JLabel("密码:");

labname.setBounds(30, 25, 60, 25);
labpass.setBounds(30, 55, 60, 25);
con.add(labname);
con.add(labpass);

jtf = new JTextField();
jtf.setBounds(85, 25, 150, 25);
jpf = new JPasswordField();
jpf.setBounds(85, 55, 150, 25);
con.add(jtf);
con.add(jpf);

btnok = new JButton("确定");
btncancel = new JButton("取消");
btnok.setBounds(35, 95, 80, 25);
btncancel.setBounds(145, 95, 80, 25);
con.add(btnok);
con.add(btncancel);
//添加按钮事件响应
btnok.addActionListener(new ActionListener() {

@Override
public void actionPerformed(ActionEvent e) {
String passname = jtf.getText();
if("".equals(passname)){
JOptionPane.showMessageDialog(null, "请输入账号");
return ;
}

String pass = new String(jpf.getPassword());
if("".equals(pass)){
JOptionPane.showMessageDialog(null, "请输入密码");
return ;
}
try {
//加载数据库的驱动
Class.forName("oracle.jdbc.driver.OracleDriver");
//建立数据库的连接
String url = "jdbc:oracle:thin:@localhost:1521:orcl";
//一个Connection就是一个数据库连接,这时已经登陆上了数据库
Connection conn = DriverManager.getConnection(url,"scott","tiger");
//执行SQL语句
String sql = "select count(1) from accont where name='"+passname+"' and code='"+pass+"'";
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery(sql);
int result = -1;
while(rs.next()){
result = rs.getInt(1);
}
//关闭连接
rs.close();
stmt.close();
conn.close();

if(result > 0){
System.out.println("登陆成功");
//隐藏登陆界面代码,不明白为什么不能用this?
//setVisible(false);
//执行其他代码
//..............
}else{
JOptionPane.showMessageDialog(null, "帐号或密码错误,请重新输入");
jpf.setText(""); 
}
} catch (ClassNotFoundException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (SQLException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
}
}
});

btncancel.addActionListener(new ActionListener() {

@Override
public void actionPerformed(ActionEvent e) {
int result = JOptionPane.showConfirmDialog(Log.this, "确认要退出吗?", "提示",JOptionPane.YES_NO_OPTION);
if(JOptionPane.YES_OPTION == result){
System.exit(0);
}

}
});
}
public static void main(String[] args) {
Log l = new Log();
l.setVisible(true);
}


}
      这个是做的一个简单的登陆界面,使用了数据库中数据进行认证,我在accont表中设置了列名为name和code的两列,存储了三条测试数据(zhangsan 123456;lisi 123;wangu 456),  然后发现了一条神一样的密码:*****' or 1=1--'  (*代码任何字符) ,账户可以是任意的,看了几本JDBC的书中介绍的也是用按照String sql = "select count(1) from accont where name='"+passname+"' and code='"+pass+"'";做的SQL语句,但是忽略了经典的SQL注入,在我们设计java连接数据库时应该尽量避免这样的写法,java本身提供了一种在某种程度提高效率的执行SQL语句的方法,可能也没想到竟然还有防止sql注入的作用,java的另外一种方法是String sql = "select count(1) from accont where passname=? and pass=?";PreparedStatement pstmt = conn.prepareStatement(sql);pstmt.setString(1, account.getAccName());pstmt.setString(2, account.getAccPass());rs = pstmt.executeQuery();  这样的sql语句是无论什么类型都用?占位符取代,然后通过set方法给参数赋值,提高了一定的安全性....


你可能感兴趣的:(java登陆界面中关于JDBC的一个问题)