比如說:
String sql = "select * from clients where logname='" + name + "'and password='" + pwd+" '" ;
SQL中只支持單引號,表示字符串常量
SQL中的雙引號用於表示字符串
兩個加號是連接字符串
最終生成的SQL是
select * from clients where logname='xxx' and password='yyy';
上面的寫法存在sql注入漏洞:
select * from clients where logname='xxx' and password='yyy' or 1='1';