PreparedStatementはsql注入問題を解決する
1420 ワード
PreparedStatementからsql注入問題を解決sql注入の問題を解決する
PreparedStatement sql
PreparedStatement sql
:sql ?
2. PreparedStatement
PreparedStatement pst=conn.prepareStatement(String sql);
pst.setString(1,"aaa");// ?
pst.setString(2,"bbb");
// PreparedStatement sql
public User findUser(User user) {
String sql = "select * from user where username='?' and password='?'";
Connection conn = null;
PreparedStatement pst = null;
ResultSet rs = null;
try {
conn = jdbcUtils. getConnection();
pst = conn.prepareStatement(sql);
pst.setString(1, user.getUsername());
pst.setString(2, user.getPassword());
rs = pst.executeQuery();
if (rs.next()) {
User u = new User();
u.setId(rs.getInt( "id"));
u.setUsername(rs.getString( "username"));
u.setPassword(rs.getString( "password"));
u.setEmail(rs.getString( "email"));
return u;
}
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return null;
}