如何从mysql数据库表记录中比较两个输入字符串。

时间:2016-07-25 21:11:15

标签: java mysql jsp servlets netbeans-7

此代码在mysql表中有一个插入记录,但我想将jsp / html文本框String与mysql列进行比较,该列已经存在,就像登录一样。这是登录页面

我知道的两件事

  1. 更改mysql查询
  2. 将输入字符串与mysql列数据进行比较我该怎么做?

    3. NewServlet.java 

             public class NewServlet1 extends HttpServlet {
         protected void processRequest(HttpServletRequest request, HttpServletResponse response)
         throws ServletException, IOException {
         response.setContentType("text/html;charset=UTF-8");
         PrintWriter out = response.getWriter();

        String name=request.getParameter("username");
        String abc=request.getParameter("password");

        aaaa c1=new aaaa();

        try{

          String Sql="Select * from login where username='"+name+"' AND password='"+abc+"'";

          c1.st.executeUpdate(Sql);   
        }
         catch(SQLException ex)
         {

         out.println(ex);

         }

         try {

        out.println("<html>");
        out.println("<head>");
        out.println("<title>Servlet NewServlet1</title>");            
        out.println("</head>");
        out.println("<body>");
        out.println("<h1>Servlet NewServlet1 at " + request.getContextPath() + "</h1>");
        out.println("</body>");
        out.println("</html>");
    } finally {            
        out.close();
     }
   }

    aaaa.java //评论此类用于数据库连接// 

                public class aaaa {

            Connection c1 = null;
            Statement st = null;
            ResultSet rs = null;
            aaaa(){
            try {
            Class.forName("com.mysql.jdbc.Driver");
            c1 = (Connection) DriverManager.getConnection("jdbc:mysql://localhost:3306/teacher","root", "abcde");

            } 
            catch (Exception cnfe) {
               System.out.println("Couldn't find the driver!");
               System.out.println("Couldn't connect: print out a stack trace and exit.");
               System.out.println("We got an exception while creating a statement:" + "that probably means we're no longer connected.");
               }
            try {
                st = (Statement) c1.createStatement();
                System.out.println("Statement Created Successfully");
              } catch (SQLException se) {
                System.out.println("We got an exception while creating a statement:" + "that probably means we're no longer connected.");
                se.printStackTrace();
            }
            if (c1 != null) {
               System. out.println("Hooray! We connected to the database!");
            } else {
                System.out.println("We should never get here.");
             }
           }
        }

1 个答案:

答案 0 :(得分:0)

你的sql字符串代码:

String Sql="Select * from login where username='"+name+"' AND password='"+abc+"'";

容易受到sql注入攻击。假设用户输入的内容类似于数据库中存在的用户名,后跟用户名的注释字符,应用程序将授权用户,因此您容易受到攻击。一些疯狂的黑客甚至可以使用相同的技术删除您的登录表,并且您的应用程序将会关闭。

** sql注入的补救措施:** 使用预准备语句来解析您的输入。 请参阅:How to use prepared statement for select query in Java?

现在回答您的问题,您可以将用户输入传递给查询(使用预准备语句),并检查结果集是否存在使用结果集具有下一个功能(类似的东西!);如果确实如此,那么授权用户别无所作为。

相关问题
最新问题