java 防止sql注入的简单方法
package test;import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import utils.DBUtils;
public> public static void main(String[] args) throws Exception {
Connection con = DBUtils.getConnection();
// 防止sql注入
PreparedStatement stmt = con.prepareStatement("select * from emp "
+ "where (1=? or ename=?) and (1=? or job=?)");
stmt.setInt(1, 1);////1=1无论ename输入为何值第一个表达式值为1 就可以设置ename值无效
stmt.setString(2, "ABC");
stmt.setInt(3, 0);//设置job值有效
stmt.setString(4, "CLERK");
//A or true = true A or false = A A and false = false A and true = A
ResultSet rs = stmt.executeQuery();
while (rs.next()) {
System.out.println(rs.getString(1) + "," + rs.getString(2) + ","
+ rs.getString(3));
}
con.close();
}
}
页:
[1]