10.5 PreparedStatement对象
PreparedStatement 可以防止SQL注入,效率更好!
1、新增
package com.kuang.lesson03;
import com.kuang.lesson02.utils.JdbcUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Date;
//import java.sql.*;
public class TestInsert {
public static void main(String[] args) {
Connection conn = null;
PreparedStatement st = null;
ResultSet rs = null;
try {
conn = JdbcUtils.getConnection();
//区别
//使用?占位符代替参数
String sql = "INSERT INTO users1(id,`name`,`password`,`email`,`birthday`) values(?,?,?,?,?)";
st= conn.prepareStatement(sql); //预编译SQL,先写SQL,然后不执行
//手动给参数赋值
st.setInt(1,4);
st.setString(2,"qinjiang");
st.setString(3,"123455");
st.setString(4,"8008208820@qq.com");
// 注意点: sql.Date 数据库
// util.Date java new Date().getTime() 获得时间戳
st.setDate(5,new java.sql.Date(new Date().getTime()));
//执行
int i = st.executeUpdate();
if (i>0){
System.out.println("插入成功!");
}
} catch (SQLException throwables) {
throwables.printStackTrace();
}finally {
JdbcUtils.release(conn,st,rs);
}
}
}
2、删除
package com.kuang.lesson03;
import com.kuang.lesson02.utils.JdbcUtils;
import java.sql.*;
public class TestDelete {
public static void main(String[] args) {
Connection conn = null;
PreparedStatement st = null;
ResultSet rs = null;
try {
conn = JdbcUtils.getConnection();
//区别
//使用?占位符代替参数
String sql = "delete from users1 where id =?";
st= conn.prepareStatement(sql); //预编译SQL,先写SQL,然后不执行
//手动给参数赋值
st.setInt(1,4);
// 注意点: sql.Date 数据库
// util.Date java new Date().getTime() 获得时间戳
// st.setDate(5,new java.sql.Date(new java.util.Date().getTime()));
//执行
int i = st.executeUpdate();
if (i>0){
System.out.println("删除成功!");
}
} catch (SQLException throwables) {
throwables.printStackTrace();
}finally {
JdbcUtils.release(conn,st,rs);
}
}
}
3、更新
package com.kuang.lesson03;
import com.kuang.lesson02.utils.JdbcUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
public class TestUpdate {
public static void main(String[] args) {
Connection conn = null;
PreparedStatement st = null;
ResultSet rs = null;
try {
conn = JdbcUtils.getConnection();
//区别
//使用?占位符代替参数
String sql = "update users1 set `name`=? where id = ?";
st= conn.prepareStatement(sql); //预编译SQL,先写SQL,然后不执行
//手动给参数赋值
st.setString(1,"rongzong");
st.setInt(2,3);
// 注意点: sql.Date 数据库
// util.Date java new Date().getTime() 获得时间戳
// st.setDate(5,new java.sql.Date(new java.util.Date().getTime()));
//执行
int i = st.executeUpdate();
if (i>0){
System.out.println("更新成功!");
}
} catch (SQLException throwables) {
throwables.printStackTrace();
}finally {
JdbcUtils.release(conn,st,rs);
}
}
}
4、查询
package com.kuang.lesson03;
import com.kuang.lesson02.utils.JdbcUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
public class TestSelect {
public static void main(String[] args) {
Connection conn = null;
PreparedStatement st = null;
ResultSet rs = null;
try {
conn = JdbcUtils.getConnection();
//区别
//使用?占位符代替参数
String sql = "select * from users1 where id =? or id=?";
st= conn.prepareStatement(sql); //预编译SQL,先写SQL,然后不执行
//手动给参数赋值
st.setInt(1,2);
st.setInt(2,3);
// 注意点: sql.Date 数据库
// util.Date java new Date().getTime() 获得时间戳
// st.setDate(5,new java.sql.Date(new java.util.Date().getTime()));
//执行
rs = st.executeQuery();
while (rs.next()){
System.out.println(rs.getString(1));
System.out.println(rs.getString(2));
System.out.println(rs.getString(5));
}
} catch (SQLException throwables) {
throwables.printStackTrace();
}finally {
JdbcUtils.release(conn,st,rs);
}
}
}
5、防止SQL注入
package com.kuang.lesson03;
import com.kuang.lesson02.utils.JdbcUtils;
import java.sql.*;
public class SQL注入 {
public static void main(String[] args) {
// login(" 'or'1=1"," 'or'1=1");
login("lisi","123456");
}
public static void login(String username,String password) {
Connection conn = null;
PreparedStatement st = null;
ResultSet rs = null;
try {
conn = JdbcUtils.getConnection();
//PrepareStatement 防止SQL注入的本质,把传递进来的参数当作字符
//假设其中存在转义字符,比如说 ' 会被直接转义
String sql = "SELECT * FROM users1 WHERE `name`=? and `password`=?"; //Mybatis
st = conn.prepareStatement(sql);
st.setString(1,username);
st.setString(2,password);
rs= st.executeQuery();
if(rs.next()){
System.out.println(rs.getString("name"));
System.out.println(rs.getString("password"));
}
} catch (SQLException throwables) {
throwables.printStackTrace();
}finally {
JdbcUtils.release(conn,st,rs);
}
}
}