JDBC—JDBC的SQL注入漏洞

SQL注入漏洞指的是在已知用户名但不知道密码的情况下，还能登陆。

[code]package com.dream.demo4;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.Statement;

import org.junit.Test;

import com.jdbc.dream.utils.JDBCutils;

public class JDBCDemo {

@Test
public void demo() {
boolean flag = JDBCDemo.login("aaa' or '1=1", "sadfsfsdf");
if(flag) {
System.out.println("登陆成功");
}else {
System.out.println("登陆失败");
}
}

public static boolean login(String username,String password) {
Connection conn = null;
Statement stat = null;
ResultSet res = null;
boolean flag = false;
try {
conn = JDBCutils.getConnection();
stat = conn.createStatement();
// 编写SQL语句
String sql = "select * from user where username ='"+username+"' and password ='"+password+"'";
res = stat.executeQuery(sql);
if(res.next()) {
flag = true;
}else {
flag = false;
}
} catch (Exception e) {

} finally {
JDBCutils.release(res, conn, stat);
}
return flag;
}
}

即使密码乱输入也能够登陆成功，这就是SQL注入漏洞，用户可以在文本框中输入aaa' or '1=1。这样就能随意登陆成功了。

SQL注入漏洞产生的根本原因是字符串拼接。

[code]	/**
*  避免SQL注入漏洞的方法
*/
public static boolean login2(String username,String password) {
Connection conn = null;
PreparedStatement pre = null;
ResultSet res = null;
boolean flag = false;
try {
conn = JDBCutils.getConnection();
// 编写SQL语句  固定了SQL语句的格式
String sql = "select * from user where username ? and password ?";
// 预处理SQL
pre = conn.prepareStatement(sql);
// 设置参数
pre.setString(1, username);
pre.setString(2, password);
// 执行SQL
res = pre.executeQuery();
if(res.next()) {
flag = true;
}else {
flag = false;
}
} catch (Exception e) {
// TODO: handle exception
} finally {
if(conn!=null) {
try {
conn.close();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
conn=null;
}

if(pre!=null) {
try {
pre.close();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
pre=null;
}

if(res!=null) {
try {
res.close();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
res=null;
}
}
return flag;
}