原来是这样写的,当我登录时输入:' or 1=1 -- 会导致登录成功!这样让我必须要做防注入。
/**
* 获取登录用户
* @param userName
* @param md5password
* @return
*/
@SuppressWarnings("unchecked")
public Map<String, Object> getFabaoUser(String userName, String md5password) {
String loginSQL="select * from CM_CONF_User where Login_Name='"+userName+"' and Password='"+md5password+"'";
Map<String, Object> u=null;
try {
//List<FabaoUser> list = this.findPojoBySqlToBean(loginSQL, FabaoUser.class);
List<Map<String, Object>> list = this.DBSelect(loginSQL);
if (list!=null && list.size()>0) {
u = list.get(0);
}
} catch (Exception e) {
e.printStackTrace();
}
return u;
}
后来参考了别人的写法,使用了预编译的方法进行防sql注入!
@SuppressWarnings("unchecked")
public Map<String, Object> getFabaoUser(String userName, String md5password) throws SQLException {
Connection conn = ConnectionUtil.getConnection();
String loginSQL="select User_ID from CM_CONF_User where Login_Name= ? and Password=? ";
PreparedStatement preState = conn.prepareStatement(loginSQL);
preState.setString(1, userName);
preState.setString(2, md5password);
ResultSet rs = preState.executeQuery();
if (rs.next()) {
String userId = rs.getObject("User_ID").toString();
Map<String, Object> u=new HashMap<String, Object>();
u.put("User_ID", userId);
return u;
}
return null;
}