jsp页面
<%@ page language="java" contentType="text/html; charset=utf-8"
pageEncoding="utf-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Insert title here</title>
</head>
<body>
<form action="TestLoginServlet" method="post">
<pre>
账号:<input type="text" name="uname">
密码:<input type="password" name="pwd">
<input type="submit" name="sub" value="登录">
</pre>
</form>
</body>
</html>
存在SQL注入问题的代码
package com.yyy.servlet;
import java.io.IOException;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* author:呆萌老师
* qq: 2398779723
* weixin: it_daimeng
*/
@WebServlet("/TestLoginServlet")
public class LoginServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
/**
* @see HttpServlet#HttpServlet()
*/
public LoginServlet() {
super();
// TODO Auto-generated constructor stub
}
/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
*/
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// TODO Auto-generated method stub
//response.getWriter().append("Served at: ").append(request.getContextPath());
request.setCharacterEncoding("utf-8");
response.setContentType("text/html;charset=utf-8");
//1.获得用户的输入
String uname=request.getParameter("uname");
String pwd=request.getParameter("pwd");
//2.连接数据库查询
try {
Class.forName("com.mysql.jdbc.Driver");
Connection connection= DriverManager.getConnection("jdbc:mysql://localhost:3306/itstar?characterEncoding=utf-8","itstar","yyy123456");
// uname=zhangsan' or '1'='1 // sql注入
//防止sql注入
//String sql="select * from user where uname=? and upwd=?";
//预定义语句命令对象
// PreparedStatement pstatement= connection.prepareStatement(sql);
//
// pstatement.setString(1, uname);
//
// pstatement.setString(2, pwd);
//
// ResultSet rSet= pstatement.executeQuery();
Statement statement = connection.createStatement();
String sql = "select * from user where uname = '"+uname+"' and upwd = '"+pwd+"'";
//"select * from user where uname = 'zhangsan' or '1'='1' and pwd = '"+pwd+"'"
ResultSet rSet = statement.executeQuery(sql);
if(rSet.next())
response.getWriter().println("<script>alert('登录成功')</script>");
else
response.getWriter().println("用户名或密码出错");
rSet.close();
connection.close();
} catch (ClassNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
//3.处理结果
}
/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// TODO Auto-generated method stub
doGet(request, response);
}
}
当输入的用户名为y1’ or ‘1’ = ‘1时,SQL语句会拼接为
“select * from user where uname = ‘y1’ or ‘1’=‘1’ and pwd = '”+pwd+"’"
因为or ‘1’='1’的存在,此时不管输入的密码是什么,都会登录成功。
避免sql注入的代码
package com.yyy.servlet;
import java.io.IOException;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
/**
* author:呆萌老师
* qq: 2398779723
* weixin: it_daimeng
*/
@WebServlet("/TestLoginServlet")
public class LoginServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
/**
* @see HttpServlet#HttpServlet()
*/
public LoginServlet() {
super();
// TODO Auto-generated constructor stub
}
/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
*/
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// TODO Auto-generated method stub
//response.getWriter().append("Served at: ").append(request.getContextPath());
request.setCharacterEncoding("utf-8");
response.setContentType("text/html;charset=utf-8");
//1.获得用户的输入
String uname=request.getParameter("uname");
String pwd=request.getParameter("pwd");
//2.连接数据库查询
try {
Class.forName("com.mysql.jdbc.Driver");
Connection connection= DriverManager.getConnection("jdbc:mysql://localhost:3306/itstar?characterEncoding=utf-8","itstar","yyy123456");
// uname=zhangsan' or '1'='1 // sql注入
//防止sql注入
String sql="select * from user where uname=? and upwd=?";
//预定义语句命令对象
PreparedStatement pstatement= connection.prepareStatement(sql);
pstatement.setString(1, uname);
pstatement.setString(2, pwd);
ResultSet rSet= pstatement.executeQuery();
// Statement statement = connection.createStatement();
// String sql = "select * from user where uname = '"+uname+"' and upwd = '"+pwd+"'";
// //"select * from user where uname = 'zhangsan' or '1'='1' and pwd = '"+pwd+"'"
// ResultSet rSet = statement.executeQuery(sql);
if(rSet.next())
response.getWriter().println("<script>alert('登录成功')</script>");
else
response.getWriter().println("用户名或密码出错");
rSet.close();
connection.close();
} catch (ClassNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
//3.处理结果
}
/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// TODO Auto-generated method stub
doGet(request, response);
}
}
使用预定义sql语句,此时不管页面输入的参数是什么,都会被加上引号放到sql中作为参数值。这样就可以避免sql注入的bug了。
