当前页面: 开发资料首页 → J2SE 专题 → 急请教JDBC问题

急请教JDBC问题

摘要: 急请教JDBC问题

if(ee.getSource()==bt1) {
try{
st1="";
st2=tf1.getText().trim();
st3=new String(pf.getPassword());
if(st2!=st1&&st3!=st1) {
st4="select*from Landing where 管理员名='"+st2+"'and 密码='"+st3+"'";
rs1=stmt.executeQuery(st4);
if(rs1.next()) {
szfrm app=new szfrm();
app.setExtendedState(JFrame.MAXIMIZED_BOTH);//让窗口起动后最大化
this.dispose();


} else {JOptionPane.showMessageDialog(null,"你不是合法用户");tf1.setText("");
pf.setText("");}
}else{JOptionPane.showMessageDialog(null,"输入格式不正确");}
rs1.close();
} catch(Exception e10) {
System.out.println(e10.toString());
}
}

st4="select*from Landing where 管理员名='"+st2+"'and 密码='"+st3+"'";这句要被SQL注入式攻击

换成用PreparedStatement写,该如何写啊!

---

st4="select*from Landing where 管理员名=? and 密码=?;
PreparedStatement pstmt=connetion.prepateStatement(st4);
pstmt.setString(1,st2);
pstmt.setString(2,st3);
rs1=stmt.executeQuery();
------------
PS:楼主的变量名命名有点乱!

---

st4="select*from Landing where 管理员名=? and 密码=?";
PreparedStatement pstmt=connetion.prepateStatement(st4);
pstmt.setString(1,st2);
pstmt.setString(2,st3);
rs1=stmt.executeQuery();

---

谢谢哈!我也搞出来了,的确是哈!

多谢你的提醒哈!

---