问题描述
/* * Generated by MyEclipse Struts * Template path: templates/java/JavaClass.vtl */package com.school.struts.action;import java.sql.Connection;import java.sql.DriverManager;import java.sql.ResultSet;import java.sql.SQLException;import java.sql.Statement;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import org.apache.struts.action.Action;import org.apache.struts.action.ActionForm;import org.apache.struts.action.ActionForward;import org.apache.struts.action.ActionMapping;import com.school.struts.form.MloginForm;public class MloginAction extends Action { public ActionForward execute(ActionMapping mapping, ActionForm form, HttpServletRequest request, HttpServletResponse response) { MloginForm mloginForm = (MloginForm) form; // TODO Auto-generated method stub String username = mloginForm.getUsername(); String password = mloginForm.getPassword(); if(username.length()==0||password.length()==0){ return mapping.getInputForward(); } System.out.println("managername=" + username + " password=" + password); Statement stmt =null; ResultSet rs = null; String sql = "select * from managersdata where managername = '" + username + "' and password = '" + password + "'"; try{ Class.forName("com.mysql.jdbc.Driver"); Connection conn = DriverManager.getConnection( "jdbc:mysql://localhost:3306/logistics", "root", "123456"); stmt = conn.createStatement(); rs = stmt.executeQuery(sql); if (username.equals(mloginForm.getUsername()) && password.equals(mloginForm.getPassword())){ return mapping.findForward("success"); }else{ request.setAttribute("errorinfo", "用户名或者密码不正确!"); return mapping.findForward("failure"); } // else return mapping.getInputForward(); } catch (Exception ex) { System.out.println(ex.getMessage()); } finally { try { rs.close(); stmt.close(); } catch (SQLException e) { e.printStackTrace(); } } return mapping.getInputForward(); }}代码如上,登陆的时候无论数据库中是否有管理员的数据都登陆成功 怎么解决。。
解决方案
String username = mloginForm.getUsername(); String password = mloginForm.getPassword(); if (username.equals(mloginForm.getUsername()) && password.equals(mloginForm.getPassword())){这不是自己与自己比较嘛 肯定永真啊 rs = stmt.executeQuery(sql); 你应该得到rs 判断有没有数据 有 就登录成功 否则失败String sql = "select * from managersdata where managername = '" + username + "' and password = '" + password + "'"; 这个有sql注入问题
解决方案二:
[color=red]String username = mloginForm.getUsername(); String password = mloginForm.getPassword();[/color] if (username.equals(mloginForm.getUsername()) && password.equals(mloginForm.getPassword())){ return mapping.findForward("success"); }else{ request.setAttribute("errorinfo", "用户名或者密码不正确!"); return mapping.findForward("failure"); }应该拿数据库中取出记录条数是否为0来判断