JDBC--代码实现增删改查、及SQL注入问题解决
Startment、PreparedStatement对象详解及SQL注入问题
(1)Statement对象详解
1、提取工具类
#db.properties
dirver=com.mysql.jdbc.Driver
url=jdbc:mysql://localhost:3306/jdbcStudy?useUnicode=true&characterEncoding=utf8&useSSl=true
username=root
password=123456
package com.xiao.lesson02.utils;
import java.io.InputStream;
import java.sql.*;
import java.util.Properties;
//工具类
public class jdbcUtils {
private static String dirver;
private static String url;
private static String username;
private static String password;
static{
try {
InputStream in = jdbcUtils.class.getClassLoader().getResourceAsStream("db.properties");
Properties properties = new Properties();
properties.load(in);
dirver=properties.getProperty("dirver");
url=properties.getProperty("url");
username=properties.getProperty("username");
password=properties.getProperty("password");
//驱动只需加载一次
Class.forName(dirver);
} catch (Exception e) {
e.printStackTrace();
}
}
//获取连接
public static Connection getConnection() throws SQLException {
return DriverManager.getConnection(url, username, password);
}
//释放资源
public static void release(Connection conn, Statement st, ResultSet rs) throws SQLException {
if (rs != null) {
rs.close();
}
if(st!=null){
st.close();
}
if(conn!=null){
conn.close();
}
}
}
2、编写增、删、改的方法(executeUpdate())
package com.xiao.lesson02;
import com.xiao.lesson02.utils.jdbcUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
//插入!!(增)
public class TestInsert {
public static void main(String[] args) throws SQLException {
Connection conn=null;
Statement st=null;
ResultSet rs=null;
try {
conn = jdbcUtils.getConnection(); //获取数据库连接
st=conn.createStatement(); //创建SQL的执行对象
String sql="insert into users(`id`,`NAME`,`PASSWORD`,`email`,`birthday`) " +
"values(4,'狂神','123456','[email protected]','2021-06-08')";
int rows= st.executeUpdate(sql); //执行插入
if(rows>0){
System.out.println("插入成功!!");
}
} catch (SQLException e) {
e.printStackTrace();
}finally{
jdbcUtils.release(conn,st,rs);
}
}
}
package com.xiao.lesson02;
import com.xiao.lesson02.utils.jdbcUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
//删除
public class TestDelete {
public static void main(String[] args) throws SQLException {
Connection conn=null;
Statement st=null;
ResultSet rs=null;
try {
conn = jdbcUtils.getConnection(); //获取数据库连接
st=conn.createStatement(); //创建SQL的执行对象
String sql="DELETE FROM users WHERE id=1";
int rows= st.executeUpdate(sql); //执行删除
if(rows>0){
System.out.println("删除成功!!");
}
} catch (SQLException e) {
e.printStackTrace();
}finally{
jdbcUtils.release(conn,st,rs);
}
}
}
package com.xiao.lesson02;
import com.xiao.lesson02.utils.jdbcUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
//更新update(改!)
public class TestUpdate {
public static void main(String[] args) throws SQLException {
Connection conn=null;
Statement st=null;
ResultSet rs=null;
try {
conn = jdbcUtils.getConnection(); //获取数据库连接
st=conn.createStatement(); //创建SQL的执行对象
String sql="UPDATE users SET `name`='秦疆' WHERE id=2";
int rows= st.executeUpdate(sql); //执行更新
if(rows>0){
System.out.println("更新成功!!");
}
} catch (SQLException e) {
e.printStackTrace();
}finally{
jdbcUtils.release(conn,st,rs);
}
}
}
3、查询
package com.xiao.lesson02;
import com.xiao.lesson02.utils.jdbcUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
//查询
public class TestSelect {
public static void main(String[] args) throws SQLException {
Connection conn=null;
Statement st=null;
ResultSet rs=null;
try {
conn = jdbcUtils.getConnection();
st=conn.createStatement();
String sql="select * from users where id=4";
rs = st.executeQuery(sql); //执行查询
while(rs.next()){
System.out.println("id="+rs.getObject("id"));
System.out.println("name="+rs.getObject("NAME"));
System.out.println("password="+rs.getObject("PASSWORD"));
System.out.println("email="+rs.getObject("email"));
System.out.println("birthday="+rs.getObject("birthday"));
}
} catch (SQLException e) {
e.printStackTrace();
}finally{
jdbcUtils.release(conn,st,rs);
}
}
}
(2)SQL注入问题
- sql存在漏洞,会被攻击导致数据泄露,SQL会被拼接 or
package com.xiao.lesson02;
import com.xiao.lesson02.utils.jdbcUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
//SQL注入问题!!!
public class SQL_zhuru {
public static void main(String[] args) throws SQLException {
//login("秦疆","123456"); //正常登录
login("'or '1=1","' or '1=1"); //盗取所有信息,都没登录,就离谱,有技巧地输入参数!
}
//登录业务
public static void login(String username,String password) throws SQLException {
Connection conn=null;
Statement st=null;
ResultSet rs=null;
try {
conn = jdbcUtils.getConnection();
st=conn.createStatement();
//SELECT * from users WHERE `name`='秦疆' AND `PASSWORD`='123456'
//SELECT * from users WHERE `name`='' or '1=1' AND `PASSWORD`='' or '1=1';
String sql="select * from users where `NAME`='"+username+"' AND `password`='"+password+"'";
rs = st.executeQuery(sql); //执行查询
while(rs.next()){
System.out.println("name="+rs.getObject("NAME"));
System.out.println("password="+rs.getObject("PASSWORD"));
}
} catch (SQLException e) {
e.printStackTrace();
}finally{
jdbcUtils.release(conn,st,rs);
}
}
}
(3)PreparedStatement对象
- 可以防止SQL注入,效率更好!
防止SQL注入本质:
1、把传递进来的参数当作字符
2、假设其中存在转义字符,比如说:’ 会被直接转义!
1、工具类
#db.properties
dirver=com.mysql.jdbc.Driver
url=jdbc:mysql://localhost:3306/jdbcStudy?useUnicode=true&characterEncoding=utf8&useSSl=true
username=root
password=123456
package com.xiao.lesson02.utils;
import java.io.InputStream;
import java.sql.*;
import java.util.Properties;
//工具类
public class jdbcUtils {
private static String dirver;
private static String url;
private static String username;
private static String password;
static{
try {
InputStream in = jdbcUtils.class.getClassLoader().getResourceAsStream("db.properties");
Properties properties = new Properties();
properties.load(in);
dirver=properties.getProperty("dirver");
url=properties.getProperty("url");
username=properties.getProperty("username");
password=properties.getProperty("password");
//驱动只需加载一次
Class.forName(dirver);
} catch (Exception e) {
e.printStackTrace();
}
}
//获取连接
public static Connection getConnection() throws SQLException {
return DriverManager.getConnection(url, username, password);
}
//释放资源
public static void release(Connection conn, Statement st, ResultSet rs) throws SQLException {
if (rs != null) {
rs.close();
}
if(st!=null){
st.close();
}
if(conn!=null){
conn.close();
}
}
}
2、增
package com.xiao.lesson03;
import com.xiao.lesson03.utils.jdbcUtils;
import java.sql.Connection;
import java.util.Date; //注意!
import java.sql.PreparedStatement;
import java.sql.SQLException;
//插入
public class TestInsert {
public static void main(String[] args) throws SQLException {
Connection conn=null;
PreparedStatement pst=null;
try {
conn = jdbcUtils.getConnection();
//区别
//使用(?)占位符代替参数!!!
String sql="insert into users values(?,?,?,?,?)";
pst=conn.prepareStatement(sql); //预编译SQL,先写sql,但不执行
//手动给参数赋值:哪个问号(从1开始),具体赋值
pst.setInt(1,5);
pst.setString(2,"狂神说Java");
pst.setString(3,"136257");
pst.setString(4,"[email protected]");
//注意点: sql.Date(数据库的)
// util.Date(java的) new Date().getTime()):获得时间戳!
pst.setDate(5,new java.sql.Date(new Date().getTime()));
//执行
int rows = pst.executeUpdate();
if(rows>0){
System.out.println("插入成功!!");
}
} catch (SQLException e) {
e.printStackTrace();
}finally{
jdbcUtils.release(conn,pst,null);
}
}
}
3、删
package com.xiao.lesson03;
import com.xiao.lesson03.utils.jdbcUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.SQLException;
//删除!!
public class TestDelete {
public static void main(String[] args) throws SQLException {
Connection conn=null;
PreparedStatement pst=null;
try {
conn = jdbcUtils.getConnection();
//区别
//使用(?)占位符代替参数!!!
String sql="delete from users where id=?";
pst=conn.prepareStatement(sql); //预编译SQL,先写sql,但不执行
//手动给参数赋值:哪个问号(从1开始),具体赋值
pst.setInt(1,4);
//执行
int rows = pst.executeUpdate();
if(rows>0){
System.out.println("删除成功!!");
}
} catch (SQLException e) {
e.printStackTrace();
}finally{
jdbcUtils.release(conn,pst,null);
}
}
}
4、改
package com.xiao.lesson03;
import com.xiao.lesson03.utils.jdbcUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.SQLException;
//更新(Update),修改
public class TestUpdate {
public static void main(String[] args) throws SQLException {
Connection connect=null;
PreparedStatement pst=null;
try {
connect = jdbcUtils.getConnection();
//区别
//使用(?)占位符代替参数!!!
String sql="update users set `NAME`=? where id=?";
pst=connect.prepareStatement(sql); //预编译SQL,先写sql,但不执行
//手动给参数赋值:哪个问号(从1开始),具体赋值
pst.setString(1,"丁真");
pst.setInt(2,3);
//执行
int rows = pst.executeUpdate();
if(rows>0){
System.out.println("更新成功!!");
}
} catch (SQLException e) {
e.printStackTrace();
}finally{
jdbcUtils.release(connect,pst,null);
}
}
}
5、查
package com.xiao.lesson03;
import com.xiao.lesson03.utils.jdbcUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Date;
//查询!
public class TestSelect {
public static void main(String[] args) throws SQLException {
Connection conn=null;
PreparedStatement pst=null;
ResultSet rs=null;
try {
conn = jdbcUtils.getConnection();
//使用(?)占位符代替参数!!!
String sql="select * from users where id=?";
pst=conn.prepareStatement(sql); //预编译SQL,先写sql,但不执行
//手动给参数赋值:哪个问号(从1开始),具体赋值
pst.setInt(1,5);
//执行
rs= pst.executeQuery();
while(rs.next()){
System.out.println("id="+rs.getInt("id"));
System.out.println("name="+rs.getString("NAME"));
System.out.println("password="+rs.getString("PASSWORD"));
}
} catch (SQLException e) {
e.printStackTrace();
}finally{
jdbcUtils.release(conn,pst,rs);
}
}
}
6、防止SQL注入
package com.xiao.lesson03;
import com.xiao.lesson02.utils.jdbcUtils;
import java.sql.*;
//SQL注入问题!!!
public class SQL_zhuru {
public static void main(String[] args) throws SQLException {
//login("丁真","123456"); //正常登录
login("'' or '1=1","123456"); //查不到喽!
}
//登录业务
public static void login(String username,String password) throws SQLException {
Connection conn=null;
PreparedStatement pst=null;
ResultSet rs=null;
try {
conn = jdbcUtils.getConnection();
//PreparedStatement防止SQL注入本质:把传递进来的参数当作字符
//假设其中存在转义字符,比如说:' 会被直接转义!
String sql="select * from users where `NAME`=? and `PASSWORD`=?"; //Mybatis
pst=conn.prepareStatement(sql);
//传参
pst.setObject(1,username);
pst.setObject(2,password);
rs = pst.executeQuery(); //执行查询
while(rs.next()){
System.out.println("name="+rs.getObject("NAME"));
System.out.println("password="+rs.getObject("PASSWORD"));
}
} catch (SQLException e) {
e.printStackTrace();
}finally{
jdbcUtils.release(conn,pst,rs);
}
}
}
Statement、PreparedStatement对象详解,及SQL问题解决的学习笔记到此为止~