Statement的问题
public static void main(String[] args) throws Exception {Statement statement = con.createStatement();String qid = "160341238 or 1 = 1";String sql = "select * from students where id = " + qid;ResultSet query = statement.executeQuery(sql);while(query.next()){String id = query.getString("id");String name = query.getString("name");String clazz = query.getString("clazz");System.out.println(id + " " + name + " " + clazz);}/**Console:* 160341238 赵承阳 160341Baaa 詹金浩 160341B */}在上面这段代码中,查询的qid后面添加上了or 1 = 1就可以把表中所有信息都查询出来,因为or 1 = 1这句话是一定为真,而我们刚才使用的Statement又使用的是拼接字符串的方式,在字符串中or会被认为是关键字,所以sql语句的条件永远为真。可以采用PrepareStatement类来解决这个问题。
public static void main(String[] args) throws Exception {String sql = "select * from students where id=?";PreparedStatement ps = con.prepareStatement(sql);/*** 从1开始,把字符串填到匹配的?里。关键字也被认为是是字符串*/ps.setString(1, "160341238 or 1 = 1");ResultSet query = ps.executeQuery();while(query.next()){String id = query.getString("id");String name = query.getString("name");String clazz = query.getString("clazz");System.out.println(id + " " + name + " " + clazz);}//无结果}