我用struts2 hibernate连接mysql做了个登录程序,action代码一:
String querySql = "from Userinfo as cust where"
+ " cust.loginname =" + userinfo.getLoginname()
+ " and cust.password = " + userinfo.getPassword() + "";在登录页面输入 123 and exists (from Userinfo) ;123则sql语句就成了:
from Userinfo as cust where cust.loginname =123 and exists (from Userinfo) and cust.password = 123(hql语句)
就能够登录。
可是代码换成代码二:
String querySql = "from Userinfo as cust where"
+ " cust.loginname ='" + userinfo.getLoginname()
+ "' and cust.password = "' + userinfo.getPassword() + "'";
在登录页面输入 123 and exists (from Userinfo) ;123则sql语句就成了:
from Userinfo as cust where cust.loginname ='123 and exists (from Userinfo)' and cust.password = '123'(hql语句)
就会提示用户名或者密码不正确。对于代码二该怎么注入?
String querySql = "from Userinfo as cust where"
+ " cust.loginname =" + userinfo.getLoginname()
+ " and cust.password = " + userinfo.getPassword() + "";在登录页面输入 123 and exists (from Userinfo) ;123则sql语句就成了:
from Userinfo as cust where cust.loginname =123 and exists (from Userinfo) and cust.password = 123(hql语句)
就能够登录。
可是代码换成代码二:
String querySql = "from Userinfo as cust where"
+ " cust.loginname ='" + userinfo.getLoginname()
+ "' and cust.password = "' + userinfo.getPassword() + "'";
在登录页面输入 123 and exists (from Userinfo) ;123则sql语句就成了:
from Userinfo as cust where cust.loginname ='123 and exists (from Userinfo)' and cust.password = '123'(hql语句)
就会提示用户名或者密码不正确。对于代码二该怎么注入?
解决方案 »
- 关于商品多条件检索方面问题。。大侠们帮帮忙。
- order by id desc limit后如何把获取的记录是升序排?
- bigint和int对索引性能的影响差别大么?
- MySQL 数据库服务器启动不了
- insert语句的判断添加
- 基本的myslq数据类型都有哪些?
- 关于mysql查询速度问题
- Mysql的Create table语句在win2000下执行后结果,表名怎么变成小写???
- 关于linux下的用户问题
- 怎么把 ShutDown this Tool 用命令行来代替?
- 请教各位:一个MySQL数据库表复制后无法读取的问题?
- ERROR 126 (HY000): Incorrect key file for table '/tmp/#sql_6f81_0.MYI'; try to r
这样弄进去,就成了cust.loginname= '1' or 1=1 or ''=''
这个条件永远为真 password也如法泡制就行了。