在JavaJDK中提供了一個性能更好的Statement,就是PreparedStatement。
PreparedStatement優點:
SQL是提前預編譯的,性能高
PreparedStatement不需要SQL拼接,使用?佔位符進行佔位。避免了SQL注入問題,安全性更高。
下面代碼展示用法:
學生表:
CREATE TABLE `students` (
`sid` varchar(8) NOT NULL,
`sname` varchar(255) DEFAULT NULL,
`gender` varchar(255) DEFAULT NULL,
`birthday` date DEFAULT NULL,
`address` varchar(255) DEFAULT NULL,
PRIMARY KEY (`sid`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8
①PreparedStatement進行查詢
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Scanner;
public class PreparedStatementSelectTest {
public static void main(String[] args) {
Scanner input = new Scanner(System.in);
Connection conn = null;
PreparedStatement ps = null;
ResultSet rs = null;
System.out.println("請輸入姓名:");
String sname = input.next();
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection("jdbc:mysql:///test", "root", "1234");
String sql = "select * from students where sname=?";
ps = conn.prepareStatement(sql);
ps.setObject(1, sname);
rs = ps.executeQuery();
while(rs.next()){
System.out.print(rs.getString(1));
System.out.print(rs.getString(2));
System.out.print(rs.getString(3));
System.out.print(rs.getDate(4));
System.out.println(rs.getString(5));
}
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}finally {
try {
if(input != null){
input.close();
}
if(rs != null){
rs.close();
}
if(ps != null){
ps.close();
}
if(conn != null){
conn.close();
}
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
}
②PreparedStatement進行增刪改
增刪改的操作類似,下面只展示增加
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
public class PreparedStatementUpdate {
public static void main(String[] args) {
Connection conn = null;
PreparedStatement ps = null;
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection("jdbc:mysql:///test", "root", "1234");
String sql = "insert into students values(?,?,?,?,?)";
ps = conn.prepareStatement(sql);
ps.setObject(1, "S0000006");
ps.setObject(2, "小紅");
ps.setObject(3, "女");
ps.setObject(4, "2018-12-31");
ps.setObject(5, "呼和浩特");
int count = ps.executeUpdate();
if(count > 0){
System.out.println("新增成功!");
}else{
System.out.println("新增失敗!");
}
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}finally {
try {
if(ps != null){
ps.close();
}
if(conn != null){
conn.close();
}
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
}
③登錄的實現(防止SQL注入破解)
其防止SQL注入破解很簡單,就是使用佔位符,不再使用SQL拼接語句。
下面是代碼展示:
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.util.Scanner;
public class PreparedStatementLogin {
public static void main(String[] args) {
Scanner input=new Scanner(System.in);
System.out.print("請輸入您的賬號:");
String name=input.next();
System.out.print("請輸入密碼:");
String pass=input.next();
Connection conn=null;
PreparedStatement ps=null;
ResultSet rs=null; //查詢結果集
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection("jdbc:mysql:///test", "root", "1234");
String sql="select * from users where username=? and password=?"; //登陸sql
ps = conn.prepareStatement(sql);
ps.setObject(1, name);
ps.setObject(2, pass);
rs=ps.executeQuery();
if(rs.next()){
System.out.println("歡迎您:"+name+",登陸成功~!");
}else{
System.out.println("賬號或者密碼錯誤!");
}
} catch (Exception e) {
e.printStackTrace();
}finally{
try {
//關閉資源
if(rs!=null){
rs.close();
}
if(ps!=null){
ps.close();
}
if(conn!=null){
conn.close();
}
} catch (Exception e) {
e.printStackTrace();
}
}
}
}
上一篇關於SQL注入破解操作:https://blog.csdn.net/qq_41061437/article/details/82661547