将登录名与数据库内字段比较,看用户是否在其中。这样验证怎么不行?该怎么验证?
String sql0 = "select * from kehu where zhuceming =" + name;
ResultSet rs;
rs=stmt.executeQuery(sql0);
int i=0;
while (rs.next())
{
i++;
if (i!=0)
response.sendRedirect("newone.jsp");
else
response.sendRedirect("session_login.jsp");}
%>
String sql0 = "select * from kehu where zhuceming =" + name;
ResultSet rs;
rs=stmt.executeQuery(sql0);
int i=0;
while (rs.next())
{
i++;
if (i!=0)
response.sendRedirect("newone.jsp");
else
response.sendRedirect("session_login.jsp");}
%>
a' or 1=1 --这样我就可以随便登录了。
jsp登陆验证代码,连接mysql数据库在表单中,action到下面这个页面,传递 用户名 和密码代码如下<%@ page contentType="text/html; charset=gb2312" %>
<%@ page import="java.sql.*"%> <html>
<head>
<title>PCI数据采集系统用户验证</title>
<link rel="stylesheet" href="/css/index.css"></head>
<body>
<center>
<br>
<h1>※对不起,登陆操作失败※</h1>
</center>
<%!
final String DBDRIVER = "org.gjt.mm.mysql.Driver" ; //mysql包
final String DBURL = "jdbc:mysql://localhost:3306/pci"; //pci数据库名
Connection conn = null ;
PreparedStatement pstmt = null ;
ResultSet rs = null ;
%> <%String name = request.getParameter("username");
String password = request.getParameter("password");
String sql = "SELECT name FROM admin WHERE name=? AND password=?" ; boolean flag = false ;
try
{
Class.forName(DBDRIVER) ;
conn = DriverManager.getConnection(DBURL,"root","") ;
pstmt = conn.prepareStatement(sql) ;
pstmt.setString(1,name) ;
pstmt.setString(2,password) ;
rs = pstmt.executeQuery() ;
if(rs.next())
{
name = rs.getString(1) ;
flag = true ;
}
rs.close() ;
pstmt.close() ;
conn.close() ;
}
catch(Exception e)
{
System.out.println(e) ;
}
%>
<%
if(flag)
{ String name_s=null;
session.putValue("name_s",name);
response.sendRedirect("sys/index.jsp");
//成功,传递session,转向}
else{out.println("<script>alert('请输入正确的用户名或密码');location.replace('index.jsp');</script>");
}%>
<body>
</html>