java学习笔记二 2019.6.27 周四

原创

zhaohan64 2019-06-27 22:16:29 ©著作权

©著作权归作者所有：来自51CTO博客作者zhaohan64的原创作品，请联系作者获取转载授权，否则将追究法律责任

一、查询数据表select com.rupeng.jdbctest1;

import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException;

public class Test2 {

public static void main(String[] args) {
	// TODO 自动生成的方法存根
	try {
		Class.forName("com.jdbc.mysql.Driver");
	} catch (ClassNotFoundException e) {
		System.err.println("加载jdbc驱动"+e.getMessage());
	}
	Connection conn=null;
	PreparedStatement stmt=null;
	ResultSet rs=null;
	try {
		conn=DriverManager.getConnection("jdbc:mysql://localhost/mystudy1?seUnicode=true&characterEncoding=UTF-8", "root", "root");
		stmt=conn.prepareStatement("select * from t_persons");
		rs=stmt.executeQuery();
		while(rs.next()){
			int id=rs.getInt("ID");
			String name=rs.getString("name");
			int age=rs.getInt("age");
			String hobbies=rs.getString("hobbies");
			System.out.println("ID:"+id+";"+"姓名:"+name+";"+"年龄:"+age+";"+"hobbies:"+hobbies);
		}
	} catch (SQLException e) {
		// TODO 自动生成的 catch 块
		//e.printStackTrace();
		System.err.println("链接jdbc不成功"+e.getMessage());
	}finally{
		
	}

}

}

二、sql实现登录和漏洞 package com.rupeng.jdbctest1;

import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.util.Scanner;

public class Test3 {

public static void main(String[] args) {
	// TODO 自动生成的方法存
	Scanner sc=new Scanner(System.in);
	
	System.out.println("enter name");
	String name=sc.nextLine();
	System.out.println("enter yourpassword");
	String password=sc.nextLine();
	
	try {
		Class.forName("com.mysql.jdbc.Driver");
	} catch (ClassNotFoundException e) {
		// TODO 自动生成的 catch 块
		//e.printStackTrace();
		System.out.println("加载jdbc驱动" + e.getMessage());
	}
	Connection conn=null;
	PreparedStatement stmt=null;
	ResultSet rs=null;
	try {
		conn=DriverManager.getConnection("jdbc:mysql://localhost/mystudy1?seUnicode=true&characterEncoding=UTF-8", "root", "root");
		//String sql="select count(*) c from t_persons2 where name="+name+" and password"+password;
		//System.out.println(sql);
		//select count(*) c from t_persons2 where name=zhaohan and password123
		//缺少单引号
		//stmt=conn.prepareStatement(sql);
		String sql="select count(*) c from t_persons2 where name='"+name+"' and password'"+password+"'";
		System.out.println(sql);
		stmt=conn.prepareStatement("select count(*) c from t_persons2 where name='"+name+"'and password='"+password+"'");
		rs=stmt.executeQuery();
		rs.next();
		int c=rs.getInt("c");
		System.out.println(c);
		if(c<=0){
			System.out.println("失败");
		}else{
			System.out.println("success");
		}

// enter name // admin // enter yourpassword // a' or 'a'='a // select count(*) c from t_persons2 where name='admin' and password'a' or 'a'='a' // 1 // success } catch (SQLException e) { // TODO 自动生成的 catch 块 //e.printStackTrace(); System.out.println("链接失败" + e.getMessage()); } }

}

三、改造漏洞 package com.rupeng.jdbctest1;

import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.util.Scanner;

public class Test3 {

public static void main(String[] args) {
	// TODO 自动生成的方法存
	Scanner sc=new Scanner(System.in);
	
	System.out.println("enter name");
	String name=sc.nextLine();
	System.out.println("enter yourpassword");
	String password=sc.nextLine();
	
	try {
		Class.forName("com.mysql.jdbc.Driver");
	} catch (ClassNotFoundException e) {
		// TODO 自动生成的 catch 块
		//e.printStackTrace();
		System.out.println("加载jdbc驱动" + e.getMessage());
	}
	Connection conn=null;
	PreparedStatement stmt=null;
	ResultSet rs=null;
	try {
		conn=DriverManager.getConnection("jdbc:mysql://localhost/mystudy1?seUnicode=true&characterEncoding=UTF-8", "root", "root");
		//String sql="select count(*) c from t_persons2 where name="+name+" and password"+password;
		//System.out.println(sql);
		//select count(*) c from t_persons2 where name=zhaohan and password123
		//缺少单引号
		//stmt=conn.prepareStatement(sql);
	
		//String sql="select count(*) c from t_persons2 where name='"+name+"' and password'"+password+"'";
		//System.out.println(sql);
		//stmt=conn.prepareStatement("select count(*) c from t_persons2 where name='"+name+"'and password='"+password+"'");

// enter name // admin // enter yourpassword // a' or 'a'='a // select count(*) c from t_persons2 where name='admin' and password'a' or 'a'='a' // 1 // success

		String sql="select count(*) c from t_persons2 where name=?  and password=?";
		stmt=conn.prepareStatement(sql);
		stmt.setString(1, name);
		stmt.setString(2, password);
		rs=stmt.executeQuery();
		rs.next();
		int c=rs.getInt("c");
		System.out.println(c);
		if(c<=0){
			System.out.println("失败");
		}else{
			System.out.println("success");
		}

// } catch (SQLException e) { // TODO 自动生成的 catch 块 //e.printStackTrace(); System.out.println("链接失败" + e.getMessage()); } }

}