???????????????ó?????????????а??????????????????????Щ????????????????????????????????????????????????????С?????????????SQL???OS Shell??LDAP??Xpath??Hibernate??????????SQL??????????????????????????????????????????????????????????????????SQL?????????????????????????????????????
??????????sql?????????????????????????????????????????????????SQL????ɡ?
????SQL????????????д??????????????????????????????????????SQL????????????????????????д???????????????????????????????????????SQL??????????SQL??????????????????????????????????????????????
????????????java????????????Java????????????

<font face="????" color="#000000">String query =??SELECT account_balance FROM  user_data WHERE user_name =??
+ request.getParameter(??customerName??);
try {
Statement statement =
connection.createStatement( …);
ResultSet results =
Statement.executeQuery(query);
}</font>
??????????????У?????????????δ?????customerName???????customerName?????????????query??????洫??????????У???????????????????sql??????
???????????????????????????????????????sql????????????????????????η?????β????????????????ò???????????????????
????????????? ???????????
??????????????????п?????????????????????????????????????????????п??????????????????е?SQL????????????????????????????????????????????????????????
???????????????????????????????????????????????????????????У????????????????UsrID??“’or ‘1 ‘=’1”?????????????????????????????????‘or ‘1 ‘=’ 1???????
?????????????????????Щ???????飺
????Java——????????????PreparedStatement()??
???????????????????????????治??
?????????
<font face="????" color="#000000">String custname = request.getParameter(??customerName??);
String query =??SELECT account_balance FROM user_data WHERE user_name= ???;
PreparedStatement pstmt = connection.prepareStatement(query);
Pstmt.setString1??custname();
ResultSet results = pstmt.executeQuery();</font>

?????????????????洢????
?????洢???????????????????????????????????洢???????????岢???????????У????????ó????????
????Java?洢?????????

 

String custname = request.getParameter(??customerName??);
try {
CallableStatement cs = connection.prepareCall(??call sp_getAccountBalance(?)}??);
cs.setString(1??custname);
Result results = cs.executeQuery();
}catch(SQLException se){
//error handling
}