**
- sql注入问题:sql的特殊关键字与字符串拼接。会造成安全性的问题
- 1输入名随便,输入密码:a’ or ‘a’='a
- sql:select* from user where username=‘123’ and password=‘a’ or ‘a’=‘a’
**
// 1.获取链接
conn=JDBCUtils.getConnection();
//2.定义语句的SQL
sql="select* from user where username='"+username+"' and password='"+password+"'";
//sql="select* form user where username='"+username+"'and password='"+password+"'";
//3.获取执行SQL语句的对象
stmt=conn.createStatement();
//4.执行查询
rs=stmt.executeQuery(sql);
解决:使用Preparestatement
//1.获取链接
conn=JDBCUtils.getConnection();
//2.定义语句的SQL
sql="select* from user where username=? and password=?";
//3.获取执行SQL语句的对象
pstmt=conn.prepareStatement(sql);
//给?赋值
pstmt.setString(1 , username);
pstmt.setString(2 , password);
//4.执行查询
rs=pstmt.executeQuery();