如何比较来自 mysql 数据库 table 记录的两个输入字符串。?
How to compare two input Strings from mysql database table record.?
此代码在 mysql table 中有一条插入记录,但我想将 jsp/html 文本框字符串与 mysql 列进行比较,后者已经像登录一样存在。这是登录页面
我知道的两件事
- 更改mysql查询
- 将输入字符串与 mysql 列数据进行比较我该怎么做?
NewServlet.java
public class NewServlet1 extends HttpServlet {
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
String name=request.getParameter("username");
String abc=request.getParameter("password");
aaaa c1=new aaaa();
try{
String Sql="Select * from login where username='"+name+"' AND password='"+abc+"'";
c1.st.executeUpdate(Sql);
}
catch(SQLException ex)
{
out.println(ex);
}
try {
out.println("<html>");
out.println("<head>");
out.println("<title>Servlet NewServlet1</title>");
out.println("</head>");
out.println("<body>");
out.println("<h1>Servlet NewServlet1 at " + request.getContextPath() + "</h1>");
out.println("</body>");
out.println("</html>");
} finally {
out.close();
}
}
aaaa.java//注释这个class是为了数据库连接//
public class aaaa {
Connection c1 = null;
Statement st = null;
ResultSet rs = null;
aaaa(){
try {
Class.forName("com.mysql.jdbc.Driver");
c1 = (Connection) DriverManager.getConnection("jdbc:mysql://localhost:3306/teacher","root", "abcde");
}
catch (Exception cnfe) {
System.out.println("Couldn't find the driver!");
System.out.println("Couldn't connect: print out a stack trace and exit.");
System.out.println("We got an exception while creating a statement:" + "that probably means we're no longer connected.");
}
try {
st = (Statement) c1.createStatement();
System.out.println("Statement Created Successfully");
} catch (SQLException se) {
System.out.println("We got an exception while creating a statement:" + "that probably means we're no longer connected.");
se.printStackTrace();
}
if (c1 != null) {
System. out.println("Hooray! We connected to the database!");
} else {
System.out.println("We should never get here.");
}
}
}
您的sql字符串代码:
String Sql="Select * from login where username='"+name+"' AND password='"+abc+"'";
容易受到 sql 注入。假设用户输入的内容类似于您数据库中存在的用户名,后跟用户名的注释字符,应用程序将授权用户,因此您很容易受到攻击。一些疯狂的黑客甚至可以使用相同的技术删除您的登录信息 table,您的应用程序将会关闭。
** sql 注射的补救措施:**
使用准备好的语句来解析您的输入。
参见:How to use prepared statement for select query in Java?
现在回答你的问题,你可以将用户输入传递给查询(使用准备好的语句)并检查是否存在使用结果集的结果是否有下一个函数(类似的东西!);如果是,则授权用户,否则什么都不做。
此代码在 mysql table 中有一条插入记录,但我想将 jsp/html 文本框字符串与 mysql 列进行比较,后者已经像登录一样存在。这是登录页面
我知道的两件事
- 更改mysql查询
- 将输入字符串与 mysql 列数据进行比较我该怎么做?
NewServlet.java
public class NewServlet1 extends HttpServlet {
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
PrintWriter out = response.getWriter();
String name=request.getParameter("username");
String abc=request.getParameter("password");
aaaa c1=new aaaa();
try{
String Sql="Select * from login where username='"+name+"' AND password='"+abc+"'";
c1.st.executeUpdate(Sql);
}
catch(SQLException ex)
{
out.println(ex);
}
try {
out.println("<html>");
out.println("<head>");
out.println("<title>Servlet NewServlet1</title>");
out.println("</head>");
out.println("<body>");
out.println("<h1>Servlet NewServlet1 at " + request.getContextPath() + "</h1>");
out.println("</body>");
out.println("</html>");
} finally {
out.close();
}
}
aaaa.java//注释这个class是为了数据库连接//
public class aaaa {
Connection c1 = null;
Statement st = null;
ResultSet rs = null;
aaaa(){
try {
Class.forName("com.mysql.jdbc.Driver");
c1 = (Connection) DriverManager.getConnection("jdbc:mysql://localhost:3306/teacher","root", "abcde");
}
catch (Exception cnfe) {
System.out.println("Couldn't find the driver!");
System.out.println("Couldn't connect: print out a stack trace and exit.");
System.out.println("We got an exception while creating a statement:" + "that probably means we're no longer connected.");
}
try {
st = (Statement) c1.createStatement();
System.out.println("Statement Created Successfully");
} catch (SQLException se) {
System.out.println("We got an exception while creating a statement:" + "that probably means we're no longer connected.");
se.printStackTrace();
}
if (c1 != null) {
System. out.println("Hooray! We connected to the database!");
} else {
System.out.println("We should never get here.");
}
}
}
您的sql字符串代码:
String Sql="Select * from login where username='"+name+"' AND password='"+abc+"'";
容易受到 sql 注入。假设用户输入的内容类似于您数据库中存在的用户名,后跟用户名的注释字符,应用程序将授权用户,因此您很容易受到攻击。一些疯狂的黑客甚至可以使用相同的技术删除您的登录信息 table,您的应用程序将会关闭。
** sql 注射的补救措施:** 使用准备好的语句来解析您的输入。 参见:How to use prepared statement for select query in Java?
现在回答你的问题,你可以将用户输入传递给查询(使用准备好的语句)并检查是否存在使用结果集的结果是否有下一个函数(类似的东西!);如果是,则授权用户,否则什么都不做。