Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- +-----------+----+--------+
- | userName | id | pass |
- +-----------+----+--------+
- | admin | 1 | admin |
- | user | 2 | pass |
- | chuchelo | 3 | elli |
- +-----------+----+--------+
- class UserLogin {
- String name;
- String pass;
- public UserLogin() {
- }
- public void login() {
- BufferedReader reader = null;
- try{
- reader = new BufferedReader(new InputStreamReader(System.in));
- System.out.println("user name: ");
- name = reader.readLine();
- System.out.println("pass: ");
- pass = reader.readLine();
- } catch (IOException e) {
- e.printStackTrace();
- }finally {
- if (reader != null)
- try {
- reader.close();
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
- }
- UserLogin user = new UserLogin();
- user.login();
- try (Connection connect = MyConnection.getConnection()){
- Statement statement = connect.createStatement();
- String query = "SELECT userName, id, pass FROM users WHERE userName='" + user.name + "' AND pass = '" + user.pass + "'";
- System.out.println(query);
- ResultSet resultSet = statement.executeQuery(query);
- while (resultSet.next()){
- System.out.printf("User: id=%d name=%s pass=%sn",
- resultSet.getInt("id"),
- resultSet.getString("userName"),
- resultSet.getString("pass"));
- }
- MyConnection.closeConnect();
- } catch (SQLException e) {
- e.printStackTrace();
- }
- user name: admin
- pass: admin
- User: id=1 name=admin pass=admin
- SELECT userName, id, pass FROM users WHERE userName='admin' AND pass = 'admin'
- user name: admin' or'1'='1
- pass: blabla
- User: id=1 name=admin pass=admin
- SELECT userName, id, pass FROM users WHERE userName='admin' or'1'='1' AND pass = 'blabla'
- UserLogin user = new UserLogin();
- user.login();
- try (Connection connect = MyConnection.getConnection()){
- String query = "SELECT userName, id, pass FROM users WHERE userName=? AND pass=?";
- PreparedStatement statement = connect.prepareStatement(query);
- statement.setString(1, user.name);
- statement.setString(2, user.pass);
- System.out.println(statement);
- ResultSet resultSet = statement.executeQuery();
- while (resultSet.next()){
- System.out.printf("User: id=%d name=%s pass=%sn",
- resultSet.getInt("id"),
- resultSet.getString("userName"),
- resultSet.getString("pass"));
- }
- MyConnection.closeConnect();
- } catch (SQLException e) {
- e.printStackTrace();
- }
- user name: user
- pass: pass
- User: id=2 name=user pass=pass
- Запрос:
- SELECT userName, id, pass FROM users WHERE userName='user' AND pass='pass'
- user name: user' or'1'='1
- pass: inject
- SELECT userName, id, pass FROM users WHERE userName='user' or'1'='1' AND pass='inject'
Add Comment
Please, Sign In to add comment