调试易

String sql = "select * from UserTbl where userName = '" + userName +
                         "' and " + "password='" + password+"'";
            pstmt = con.prepareStatement(sql);
            rs = pstmt.executeQuery();
            boolean flag = rs.next();
            if (flag == true) {
                response.sendRedirect(
                        "http://localhost/LoginManage/success.html");            } else {
                response.sendRedirect(
                        "http://localhost/LoginManage/nosuccess.html");
            }

String sql="select * from UserTbl where userName =‘" + userName +“‘
                          and  + password=‘"+ password“‘；

String sql = "select * from UserTbl where userName = '" + userName +
                         "' and " + "password='" + password+"'";
            pstmt = con.prepareStatement(sql);
            rs = pstmt.executeQuery();
            boolean flag = rs.next();
            if (flag == true) {
                response.sendRedirect(
                        "http://localhost/LoginManage/success.html");
                 return;
            } else {
                out.println("已经成功登陆");
                response.sendRedirect(
                        "http://localhost/LoginManage/nosuccess.html");
                         return;
                
            }

上面几个全是错的,这样并不能避免SQL注入,'or''='这个照常可以用
正确的方式如下:
String sql = "select * from UserTbl where userName = ? and password=?";
pstmt = con.prepareStatement(sql);
pstmt.setString(1,userName);
pstmt.setString(2,password);
rs = pstmt.executeQuery();
boolean flag = rs.next();
if (flag == true) {
  response.sendRedirect("success.html");
//这里还要加上session授权代码,你自己加
   } else {
   response.sendRedirect("nosuccess.html");
   out.println("已经成功登陆");
            }