MySQL connection with the preparation of java
1. Download the MySQL (MySQL's understanding of basic grammar)
2. Download the java and MySQL connection
3. Add 2 jar downloaded in the program package
Write java program to connect the basic steps of the database:
1. Registration drive (loading) of the corresponding database
Class.forName ( "com.mysql.jdbc.Driver"); // choose to register drive
2. Connect java and database
Connection con = DriverManager.getConnection (url, user, password); // create and connect mysql database
3. Create variables can execute database statements
Statement stmt = con.createStatement();
stmt.executeQuery (SqlRequest); // return result
4. The variable storing the results
ResultSet rs= stmt.executeQuery(SqlRequest);
import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; public class MysqlDemo1 { public static void main(String[] args) { selectAll(); //System.out.println(selectByUsernamePassword2("zs","123")); //sql注入 //System.out.println(selectByUsernamePassword2("zs","12347'or'1'='1")); } public static void selectAll(){ // TODO Auto-generated method stub Connection con=null; Statement stmt=null; ResultSet rs=null; try { Class.forName ( "com.mysql.jdbc.Driver"); // choose to register driver String url = "jdbc: MySQL: // localhost: 3306 / dy = useUnicode to true & characterEncoding = UTF-8 & useSSL = false?"; String = the User "root"; String password = "root"; CON = DriverManager.getConnection (url, the User, password); // create and connect mysql database stmt = con.createStatement (); String = the SQLRequest "from the SELECT * Student"; stmt.executeQuery = RS (SQLRequest); the while (rs.next ()) { System.out.println (rs.getString (. 1) + "" + rs.getString (2) + "" + rs.getString (. 3) + "" + rs.getString (4) ); // value type String type may be carried out by obtaining the output //System.out.println(rs.getString("id")+" "+rs.getString("stu_name")+" "+rs.getString("stu_sex")+" "+rs.getString("stu_score"));//这种输出格式也可以正确输出 } } catch (Exception e) { // TODO Auto-generated catch block e.printStackTrace(); }finally{ try { if(rs!=null) rs.close(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } try { if(stmt!=null) stmt.close(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } try { if(con!=null) con.close(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } } } public static boolean selectByUsernamePassword(String username,String password){//存在sql注入问题 Connection con=null; Statement stmt=null; ResultSet rs=null; try { Class.forName("com.mysql.jdbc.Driver");//注册对应的驱动 //url,"root","root" String url= "jdbc:mysql://localhost:3306/dy?useUnicode=true&characterEncoding=utf-8&useSSL=false"; // TODO Auto-generated catch block e.printStackTrace(); }finally{ try { if(stmt!=null) stmt.close(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } try { if(con!=null) con.close(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } } return false; } public static boolean selectByUsernamePassword2(String username,String password){//解决sql注入 Connection con=null; PreparedStatement stmt=null; ResultSet rs=null; try { Class.forName("com.mysql.jdbc.Driver");//注册对应的驱动 //url,"root","root" String url= "jdbc:mysql://localhost:3306/dy?useUnicode=true&characterEncoding=utf-8&useSSL=false"; con = DriverManager.getConnection(url,"root","root"); String RequestSql="select *from user where u_name=? and u_password=? "; pstmt = con.prepareStatement(RequestSql); pstmt.setString(1, username); pstmt.setString(2,password); rs = pstmt.executeQuery(); if(rs.next()){ return true; }else{ return false; } } catch (Exception e) { // TODO Auto-generated catch block e.printStackTrace(); }finally{ try { if(rs!=null) rs.close(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } try { if(pstmt!=null) pstmt.close(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } try { if(con!=null) con.close(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } } return false; } }
sql injection produces: because with Statement process is our own string splicing (we do not have a password for special treatment), so some users exploit our own string concatenation can
Example: System.out.println (selectByUsernamePassword2 ( "zs", "12347'or'1 '=' 1")); if these words and after our output is the string concatenation select * from user where u_name = ' zs'and u_password = '12347'or'1' = '1'
This sentence will return true after the judgment
sql injection solution: we do not string concatenation, so help us do similar work in other class system, before we turn to with abandon Statement PreparedStatement, it is processed by the user's name and password method setString.