下面的Java小服务程序代码,用于执行一个登录功能,示出了通过接受用户输入的脆弱性,而不执行适当的输入验证或逸出元字符:
String sql = "select * from user where username='" + username +"' and password='" + password + "'";
stmt = conn.createStatement();
rs = stmt.executeQuery(sql);
if (rs.next()) {
loggedIn = true;
out.println("Successfully logged in");
} else {
out.println("Username and/or password not recognized");
}
================
现在请告诉我怎么才能修改此代码,使其免受SQL注入自由
+1对于xkcd引用 –