密码验证
- Java code
<%@include file="dbsconn.jsp"%><% Statement st; st=conn.createStatement(ResultSet.TYPE_SCROLL_SENSITIVE,ResultSet.CONCUR_UPDATABLE); String login_name = request.getParameter("login_name"); String password=request.getParameter("password"); String sql="select count(*) from UserT where UserName like " + login_name + " and password like '" + password + "'"; ResultSet rs=st.executeQuery(sql); if(rs.getInt(0)!=0) response.sendRedirect("/main.jsp"); else response.sendRedirect("login.jsp"); session.setAttribute("grade",""); session.setAttribute("BranchID",""); session.setAttribute("NodeID",""); session.setAttribute("UserPrivate",""); session.setAttribute("UserId",""); %>
dbsconn.jsp
- Java code
Connection conn = null; String driver = "com.microsoft.jdbc.sqlserver.SQLServerDriver"; //String driver = "com.microsoft.sqlserver.jdbc.SQLServerDriver"; String url = "jdbc:microsoft:sqlserver://localhost:1433;databaseName=NetBank"; String name = "sa"; String pass = "123456";//连接数据库的方法try{System.out.println("***加载数据库驱动***");Class.forName(driver);System.out.println("***数据库驱动加载成功***");System.out.println("***连接数据库***");conn = DriverManager.getConnection(url, name, pass);System.out.println("***数据库连接成功***");} catch (ClassNotFoundException ce){System.out.println("找不到jar驱动包或者驱动连接字符出错!");ce.printStackTrace();} catch (SQLException se){System.out.println("SQL连接字符串出错!");se.printStackTrace();} catch (Exception e){e.printStackTrace();}%>
编译器出现的错误
***加载数据库驱动***
***数据库驱动加载成功***
***连接数据库***
***数据库连接成功***
2012-9-13 20:52:33 org.apache.catalina.core.StandardWrapperValve invoke
严重: Servlet.service() for servlet jsp threw exception
java.sql.SQLException: [Microsoft][SQLServer 2000 Driver for JDBC][SQLServer]列名 'admin' 无效。
页面下的错误:
org.apache.jasper.JasperException: An exception occurred processing JSP page /check_login.jsp at line 27
24: String login_name = request.getParameter("login_name");
25: String password=request.getParameter("password");
26: String sql="select count(*) from UserT where UserName like " + login_name + " and password like '" + password + "'";
27: ResultSet rs=st.executeQuery(sql);
28: if(rs.getInt(0)!=0) response.sendRedirect("/main.jsp");
29: else response.sendRedirect("login.jsp");
------解决方案--------------------------------------------------------
组装SQL的时候,漏了单引号:
String sql="select count(*) from UserT where UserName like " + login_name + " and password like '" + password + "'";
应该是:
String sql="select count(*) from UserT where UserName like '" + login_name + "' and password like '" + password + "'";
顺便提醒下,这种做法有:SQL注入漏洞
------解决方案--------------------------------------------------------