[英]Sql query executed and the resultset returns records even though table in database is empty?
我创建了一个Spring Security UserService,它检查(从登录页面登录的)用户是否存在于数据库(jdbc)中。
如果记录存在,则重定向到主页,否则重定向到拒绝访问页面。
我已经对其进行了测试,但是效果很好,但是当我从数据库中删除记录并尝试进行检查时,我注意到它仍然像数据库中的记录一样工作:使用已删除的用户名和密码进行验证!
有人可以告诉我为什么吗?
这是我的代码:
@Component(value = "userService")
public class UserService implements AuthenticationProvider {
@Inject
@Named(value = "dataSource")
private DataSource dataSource1;
String name;
String password;
int countRow=0;
public Authentication authenticate(Authentication auth) throws AuthenticationException {
ResultSet resultSet = null;
PreparedStatement preparedStatement = null;
Connection connection = null;
name= auth.getName();
password=auth.getCredentials().toString();
final String select= "select username,password from users where username='"+name+"'and password='"+password+"'";
try {
connection = dataSource1.getConnection();
preparedStatement = connection.prepareStatement(select);
resultSet = preparedStatement.executeQuery();
if(resultSet.next()){
countRow++;
if(countRow!=0){
return new UsernamePasswordAuthenticationToken(name, null);}
}
return null;
}
return new UsernamePasswordAuthenticationToken("", "");
}
代替此代码
if(resultSet.next()){
countRow++;
if(countRow!=0){
return new UsernamePasswordAuthenticationToken(name, null);}
}
return null;
采用
String select= "select username,password from users where username=? and password=?";//to avoid sql injection
preparedStatement = connection.prepareStatement(select);
preparedStatement.setString(1,name);
preparedStatement.setString(2,password);
............
if(resultSet.next())//condition is true, means record exists in database
{
//stuff to redirection to success
}
else
{
//stuff to access denied
}
但是我不知道springs
。 只要检查一下
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.