0

我目前正在使用此代码进行注册:

value1 = registerEmail.getText().toString();
    value2 = registerPassword.getText().toString();
    value3 = registerName.getText().toString();
    try{
        Class.forName("com.mysql.jdbc.Driver");
        Connection con = DriverManager.getConnection(url, user, pass);
        Statement st = con.createStatement();
        Log.d("Connectc","executing check");
        ResultSet res = st.executeQuery("SELECT * FROM user where email='"+value1+"'");
        while (res.next()) {
            userc = res.getString("email");
        }
            if (value1.equals(userc)) {
                tv.setText("Email already in use!");
            }
            else{
                Log.d("Connectc","registering");
                st.executeUpdate("INSERT INTO user (email, password, name) VALUES('"+value1+"', '"+value2+"', '"+value3+"' )");
                tv.setText("Data is successfully saved." );
                Intent i = new Intent(getApplicationContext(),
                        LoginActivity.class);
                                    startActivity(i);
                finish();
                Log.d("Connectl","pfffffffff");
            }

是的,使用 json 会更好,但我需要使用它......所以代码检查电子邮件是否存在,我还需要检查用户名是否存在,我该怎么办?我必须添加另一个 sql 查询,或者我可以编辑它以检查用户名是否存在于数据库中?谢谢。

4

2 回答 2

1

当您从用户那里获取输入时,最好使用准备好的语句。它不允许您插入任何SQL Injection

value1 = registerEmail.getText().toString();
value3 = registerName.getText().toString();

query = "SELECT * FROM user where email=? OR username=? ";
PreparedStatement st = con.prepareStatement(query); // con is active connection
st.setText(1,value1);
st.setText(2,value3);

如何使用准备好的语句示例。

什么是 SQL 注入?

于 2013-01-08T19:47:55.803 回答
1

如果电子邮件或用户名存在,这将返回行,以便您可以提示用户登录数据已经存在: 

ResultSet res = st.executeQuery(
"SELECT * FROM user 
where email='"+value1+"' 
OR username='"+ value3+"'");
于 2013-01-08T19:43:49.713 回答