在之前提到過Statement的三個問題
用PreparedStatement解決sql注入
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.PreparedStatement;
import java.util.Scanner;
public class TestPreParedStatement2 {
public static void main(String [] args) throws Exception{
Scanner input = new Scanner(System.in);
System.out.println("請輸入名字");
String ename = input.nextLine();
Class.forName("com.mysql.jdbc.Driver");
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/1205db","root","123456");
String sql = "select * from t_employee where ename = ?";
PreparedStatement pst = conn.prepareStatement(sql);
pst.setObject(1, ename);
ResultSet rs = pst.executeQuery();
while(rs.next()){
for(int i=1;i<=10;i++){
System.out.print(rs.getObject(i)+"\t");
}
System.out.println();
}
rs.close();
pst.close();
conn.close();
input.close();
}
}
換爲sql注入:
沒有任何迴應,再換一個:
還是沒有任何的反應。