PreparedStatement预编译SQL
PreparedStatement
- PreparedStatement 预编译Statement是Statement的子接口
- PreparedStatement 对SQL进行参数化,预防SQL注入攻击
- PreparedStatement 比Statement执行效率高
用Statement语句的代码
//存在SQL注入风险
//dname值为' or 1 = 1 or 1 = '时,所有筛选条件均失效
//SQL:select * from employee where dname = '' or 1=1 or 1=''
stmt = connection.createStatement();
rs = stmt.executeQuery("select * from employee where dname = '" + pdname + "'");
System.out.println("select * from employee where dname = '" + pdname + "'");
while(rs.next()){
....
}
用PreparedStatement语句的代码
//利用PreparedStatement预防SQL注入风险
//当dname值为' or 1=1 or 1='时查询不到任何结果
//SQL:select * from employee where dname = '\' or 1=1 or 1=\''
String sql = "select * from employee where dname=?";
pstmt = connection.prepareStatement(sql);
pstmt.setString(1, pdname);//设置SQL参数,参数从1开始
rs = pstmt.executeQuery();
while(rs.next()){
....
}