PreparedStatement作用:
1.预编译SQL并执行SQL语句:
①获取PreparedStatement对象
//SQL语句中的参数值,使用?占位符替代
String sql = "select id,username,password from user where username = ? and password = ?";
②设置参数值
PreparedStatement对象:setXxx(参数1,参数2):给?赋值
Xxx:数据类型 参数1:?的位置编号,从一开始,参数2:?的值
③执行SQL
executeUpdate()或executeQuery() :不需要再传递sql
PreparedStatement好处:预编译SQL,性能更高;防止SQL注入将敏感字符进行转义
PreparedStatement预编译功能开启:useServerPrepStmts=true
PreparedStatement原理:①在获取PreparedStatement对象时,将sql语句发给mysql服务器进行检查编译(非常耗时)②执行时不再执行这些步骤,速度更快③如果sql模板一样,只需要进行一次检查、编译
sql注入问题解决:
(select id,username,password from user where username ='自己输入的' and password = '' or '1' = '1')
(上述语句会在遇到单引号时转义加上一个,从而解决sql注入)
import java.sql.*;
public class PreparedStatement {
public static void main(String[] args) throws Exception {
String url = "jdbc:mysql://127.0.0.1:3306/db1?useSLL=false";
String name = "root";
String password = "123456";
Connection conn = DriverManager.getConnection(url, name, password);
String username = "jack";
String pwd = "247893";
//定义sql
String sql = "select id,username,password from user where username = ? and password = ?";
//获取sql对象
java.sql.PreparedStatement pstmt = conn.prepareStatement(sql);
//设置?的值
pstmt.setString(1,username);
pstmt.setString(2,pwd);
//执行sql
ResultSet rs = pstmt.executeQuery();
//判断是否成功
if (rs.next()){
System.out.println("成功");
}else {
System.out.println("失败");
}
rs.close();
conn.close();
pstmt.close();
}
}
网友评论