PreparedStatement可以防止sql注入問題,效率更高
先進行預編譯sql,將要設定的欄位值使用佔位符
本質:預編譯會將傳遞進來的引數包裹成字元,而單引號會被跳脫字元轉換為空內容,有效的防止sql注入的問題
CRUD--SELECT
String sql = "select * from users where id=?";
st = connection.prepareStatement(sql);//預編譯語句
st.setInt(1,14);
ResultSet resultSet = st.executeQuery();
while (resultSet.next()){
System.out.println(resultSet.getString("name"));
System.out.println(resultSet.getString("password"));
System.out.println(resultSet.getString("email"));
System.out.println(resultSet.getString("birthday"));
}
CRUD--INSERT
String sql = "insert into users(`name`,`password`,`email`,`birthday`) value (?,?,?,?)";
st = connection.prepareStatement(sql);//預編譯語句
st.setString(1,"王麗萍");//傳遞引數
st.setString(2,"wlp123");
st.setString(3,"wangliping@163.com");
//獲得時間戳 java.Date 再將時間戳轉換為sql.Date下面的時間
pst.setDate(4,new Date(new java.util.Date().getTime()));
int i = st.executeUpdate();
CRUD--DELETE
String sql = "delete from users where id=?";
st = connection.prepareStatement(sql);//預編譯語句
st.setInt(1, 8);//傳遞引數
int i = st.executeUpdate();
if (i > 0) {
System.out.println("刪除成功");
CRUD--UPDATE
String sql = "update users set `name`=? ,`password` = ?where id=?";
st = connection.prepareStatement(sql);//預編譯語句
st.setString(1,"李昂");
st.setString(2,"liang@163.com");
st.setInt(3,6);
int i = st.executeUpdate();
模擬登入測試
String sql = "select * from `users` where `name`=? and `password`=?";
statement = connection.prepareStatement(sql);
statement.setString(1,username);
statement.setString(2,password);
resultSet = statement.executeQuery();