??????????????????У????????дJ(rèn)DBC???п????????????????????п???SQL????????
?????????????SQL????????η??SQL????????
?????????SQL???
??????νSQL??????????SQL???????Web????????????????????????????????????????????????ж????SQL??????????????????????????ó?????????????SQL?????????????????????е??????????????????Web?????????????SQL???????????????????????????????????????????????????SQL???[1] ?????????????????й?VIP??????????????WEB???????????????????????????????????SQL??????????
??????.????????????е?????
????1. ???????
????/**????????**/
????String tableName = "emp_test";
????/**????????????е??????**/
????DBUtil.query(tableName?? null);
????2. ????????
????SELECT  * FROM emp_test
??????????????14??????
??????1?У?{DEPT_TEST_ID=10?? EMP_ID=1001?? SALARY=10000?? HIRE_DATE=2010-01-12?? PASSWORD=123456?? BONUS=2000?? MANAGER=1005?? JOB=Manager?? NAME=?????}
??????2?У?{DEPT_TEST_ID=10?? EMP_ID=1002?? SALARY=8000?? HIRE_DATE=2011-01-12?? PASSWORD=123456?? BONUS=1000?? MANAGER=1001?? JOB=Analyst?? NAME=??????}
??????3?У?{DEPT_TEST_ID=10?? EMP_ID=1003?? SALARY=9000?? HIRE_DATE=2010-02-11?? PASSWORD=123456?? BONUS=1000?? MANAGER=1001?? JOB=Analyst?? NAME=???}
??????4?У?{DEPT_TEST_ID=10?? EMP_ID=1004?? SALARY=5000?? HIRE_DATE=2010-02-11?? PASSWORD=123456?? BONUS=null?? MANAGER=1001?? JOB=Programmer?? NAME=?????}
??????5?У?{DEPT_TEST_ID=20?? EMP_ID=1005?? SALARY=15000?? HIRE_DATE=2008-02-15?? PASSWORD=123456?? BONUS=null?? MANAGER=null?? JOB=President?? NAME=??????}
??????6?У?{DEPT_TEST_ID=20?? EMP_ID=1006?? SALARY=5000?? HIRE_DATE=2009-02-01?? PASSWORD=123456?? BONUS=400?? MANAGER=1005?? JOB=Manager?? NAME=??С??}
??????7?У?{DEPT_TEST_ID=20?? EMP_ID=1007?? SALARY=3000?? HIRE_DATE=2009-02-01?? PASSWORD=123456?? BONUS=500?? MANAGER=1006?? JOB=clerk?? NAME=????}
??????8?У?{DEPT_TEST_ID=30?? EMP_ID=1008?? SALARY=5000?? HIRE_DATE=2009-05-01?? PASSWORD=123456?? BONUS=500?? MANAGER=1005?? JOB=Manager?? NAME=????}
??????9?У?{DEPT_TEST_ID=30?? EMP_ID=1009?? SALARY=4000?? HIRE_DATE=2009-02-20?? PASSWORD=123456?? BONUS=null?? MANAGER=1008?? JOB=salesman?? NAME=ΤС??}
??????10?У?{DEPT_TEST_ID=30?? EMP_ID=1010?? SALARY=4500?? HIRE_DATE=2009-05-10?? PASSWORD=123456?? BONUS=500?? MANAGER=1008?? JOB=salesman?? NAME=????}
??????11?У?{DEPT_TEST_ID=null?? EMP_ID=1011?? SALARY=null?? HIRE_DATE=null?? PASSWORD=123456?? BONUS=null?? MANAGER=null?? JOB=null?? NAME=?????}
??????12?У?{DEPT_TEST_ID=null?? EMP_ID=1012?? SALARY=null?? HIRE_DATE=2011-08-10?? PASSWORD=123456?? BONUS=null?? MANAGER=null?? JOB=null?? NAME=amy}
??????13?У?{DEPT_TEST_ID=null?? EMP_ID=1014?? SALARY=8000?? HIRE_DATE=null?? PASSWORD=123456?? BONUS=null?? MANAGER=null?? JOB=null?? NAME=?????}
??????14?У?{DEPT_TEST_ID=20?? EMP_ID=1015?? SALARY=null?? HIRE_DATE=null?? PASSWORD=123456?? BONUS=null?? MANAGER=null?? JOB=null?? NAME=??????}
??????.??????????SQL???
????1. ?????α????
????/**?????????????**/
????String name = "'1' OR '1'='1'";
????/**????????????**/
????String password = "'1' OR '1'='1'";
????/**?????SQL???????**/
????String sql = "SELECT * FROM emp_test WHERE name = " + name + " and password = " + password;
????DBUtil.query(sql);
????```
????###### 2. ??????
????```java
????SELECT * FROM emp_test WHERE name = '1' OR '1'='1' and password = '1' OR '1'='1'
??????????????14??????
??????1?У?{DEPT_TEST_ID=10?? EMP_ID=1001?? SALARY=10000?? HIRE_DATE=2010-01-12?? PASSWORD=123456?? BONUS=2000?? MANAGER=1005?? JOB=Manager?? NAME=?????}
??????2?У?{DEPT_TEST_ID=10?? EMP_ID=1002?? SALARY=8000?? HIRE_DATE=2011-01-12?? PASSWORD=123456?? BONUS=1000?? MANAGER=1001?? JOB=Analyst?? NAME=??????}
??????3?У?{DEPT_TEST_ID=10?? EMP_ID=1003?? SALARY=9000?? HIRE_DATE=2010-02-11?? PASSWORD=123456?? BONUS=1000?? MANAGER=1001?? JOB=Analyst?? NAME=???}
??????4?У?{DEPT_TEST_ID=10?? EMP_ID=1004?? SALARY=5000?? HIRE_DATE=2010-02-11?? PASSWORD=123456?? BONUS=null?? MANAGER=1001?? JOB=Programmer?? NAME=?????}
??????5?У?{DEPT_TEST_ID=20?? EMP_ID=1005?? SALARY=15000?? HIRE_DATE=2008-02-15?? PASSWORD=123456?? BONUS=null?? MANAGER=null?? JOB=President?? NAME=??????}
??????6?У?{DEPT_TEST_ID=20?? EMP_ID=1006?? SALARY=5000?? HIRE_DATE=2009-02-01?? PASSWORD=123456?? BONUS=400?? MANAGER=1005?? JOB=Manager?? NAME=??С??}
??????7?У?{DEPT_TEST_ID=20?? EMP_ID=1007?? SALARY=3000?? HIRE_DATE=2009-02-01?? PASSWORD=123456?? BONUS=500?? MANAGER=1006?? JOB=clerk?? NAME=????}
??????8?У?{DEPT_TEST_ID=30?? EMP_ID=1008?? SALARY=5000?? HIRE_DATE=2009-05-01?? PASSWORD=123456?? BONUS=500?? MANAGER=1005?? JOB=Manager?? NAME=????}
??????9?У?{DEPT_TEST_ID=30?? EMP_ID=1009?? SALARY=4000?? HIRE_DATE=2009-02-20?? PASSWORD=123456?? BONUS=null?? MANAGER=1008?? JOB=salesman?? NAME=ΤС??}
??????10?У?{DEPT_TEST_ID=30?? EMP_ID=1010?? SALARY=4500?? HIRE_DATE=2009-05-10?? PASSWORD=123456?? BONUS=500?? MANAGER=1008?? JOB=salesman?? NAME=????}
??????11?У?{DEPT_TEST_ID=null?? EMP_ID=1011?? SALARY=null?? HIRE_DATE=null?? PASSWORD=123456?? BONUS=null?? MANAGER=null?? JOB=null?? NAME=?????}
??????12?У?{DEPT_TEST_ID=null?? EMP_ID=1012?? SALARY=null?? HIRE_DATE=2011-08-10?? PASSWORD=123456?? BONUS=null?? MANAGER=null?? JOB=null?? NAME=amy}
??????13?У?{DEPT_TEST_ID=null?? EMP_ID=1014?? SALARY=8000?? HIRE_DATE=null?? PASSWORD=123456?? BONUS=null?? MANAGER=null?? JOB=null?? NAME=?????}
??????14?У?{DEPT_TEST_ID=20?? EMP_ID=1015?? SALARY=null?? HIRE_DATE=null?? PASSWORD=123456?? BONUS=null?? MANAGER=null?? JOB=null?? NAME=??????}
?????????????????????????????????????????????????????????????????????????????????????????????????
??????.??????????SQL???
????1. ?????α????
????/**?????????????**/
????String name = "'1' OR '1'='1'";
????/**????????????**/
????String password = "'1' OR '1'='1'";
????/**?????ò?????????**/
????String where = "name = ?  AND password = ? ";
????String[] whereArgs = new String[]{name?? password};
????DBUtil.query("emp_test"?? where?? whereArgs);
????2. ??????
????/**????????????????????????????????????PreparedStatement??????е?SQL???**/
????SELECT  * FROM emp_test WHERE name = '1' OR '1'='1'  AND password = '1' OR '1'='1'
??????????????0??????
???????????????????????????????Ч???????????????????