11级_Java_曹建波6.19 解决注入问题

解决注入问题

private
voidbtnSubmitActionPerformed(java.awt.event.ActionEvent evt) {
StringuserName = txtName.getText();
Stringpassword = new String(txtPassword.getPassword());
Stringemail = txtEmail.getText();
Stringbirthday = txtBirthday.getText();

Connectioncon = null;
PreparedStatementps = null;

Stringsql = "insert into users(name,password,email,birthday)values(?,?,?,?) ";

try {
con= DBManager.getConnection();
ps= con.prepareStatement(sql);
ps.setString(1,userName);
ps.setString(2, password);
ps.setString(3,email);
ps.setDate(4,Date.valueOf(birthday));
inti =ps.executeUpdate();
if (userName!=null&&password!=null) {
JOptionPane.showMessageDialog(this,"注册成功！");
}else {
JOptionPane.showMessageDialog(this,"注册失败！");
}
}catch (SQLException e) {
// TODO Auto-generatedcatch block
e.printStackTrace();
}finally{
DBManager.dbClose1(ps, con);
}
}

private
voidbtnLogonActionPerformed(java.awt.event.ActionEvent evt) {
newLogon().setVisible(true);
}

private
voidbtnloginActionPerformed(java.awt.event.ActionEvent evt) {
StringuserName = txtName.getText();
Stringpassword = new String(txtPassword.getPassword());
Connectioncon = null;
//Statement st= null;
PreparedStatementps = null;
ResultSetrs = null;
//String sql= "select id from users where name='" + userName+ "'andpassword='" + password + "'";
Stringsql = "select id from users where name=? andpassword=?";

try {
con= DBManager.getConnection();
//st =con.createStatement();
ps= con.prepareStatement(sql);

ps.setString(1,userName);
ps.setString(2,password);

//rs =st.executeQuery(sql);
rs= ps.executeQuery();
if (rs.next()) {
JOptionPane.showMessageDialog(this,"登陆成功！");
}else {
JOptionPane.showMessageDialog(this,"登陆失败！");
}
}catch (SQLException e) {
e.printStackTrace();
}finally {
DBManager.dbClose(rs,ps, con);
}
}