CREATE TABLE USER(
id int PRIMARY KEY auto_increment,
username VARCHAR(32),
PASSWORD VARCHAR(32));
INSERT INTO USER VALUES(NULL,'张三','123');
INSERT INTO USER VALUES(NULL,'李四','456');
Test:
package cn.sdut.jdbc;import java.sql.Connection;import java.sql.ResultSet;import java.sql.SQLException;import java.sql.Statement;import java.util.Scanner;/*
需求:
1. 通过键盘录入用户名和密码
2. 判断用户是否登陆成功
*/publicclassTest{publicstaticvoidmain(String[] args){//1.创建键盘录入,接受数据
Scanner input =newScanner(System.in);
System.out.println("请输入用户名");
String username = input.next();
System.out.println("请输入用户密码");
String password = input.next();//2.调用方法boolean flag =newTest().login(username,password);//3.判断结果并输出if(flag)
System.out.println("登陆成功!");else
System.out.println("密码或用户名错误!");}//登陆方法publicbooleanlogin(String username, String password){if(username == null || password == null){returnfalse;}
Connection con = null;
Statement st = null;
ResultSet rs = null;try{
con = JDBCUtil.getConnection();
String sql ="select * from user where username='"+username+"'and password='"+password+"'";
st = con.createStatement();
rs = st.executeQuery(sql);return rs.next();}catch(SQLException e){
e.printStackTrace();}finally{
JDBCUtil.closeAll(rs,st,con);}returnfalse;}}
PreparedStatement类(Statement子类):
SQL注入问题:在拼接sql时,有一些sql的特殊关键字参与字符串拼接,会造成安全性问题
1.任意输入用户名,输入密码:a' or 'a' = 'a
解决sql注入问题:使用 PreparedStatement 对象解决
预编译的Sql:参数使用 ? 作为占位符
步骤:
定义sql时使用 ?作为占位符
例:`select * from user where username=? and password=?`
给 ?赋值
1.参数1:?的位置编号,从1开始
2.参数2:?的值
con = JDBCUtil.getConnection();
String sql ="select * from user where username=? and password=?";
pst = con.prepareStatement(sql);
pst.setString(1,username);
pst.setString(2,password);
rs = pst.executeQuery();
登陆案例:需求:通过键盘录入用户名和密码判断用户是否登陆成功如果sql有查询结果则成功,反之失败步骤:创建数据库表 userCREATE TABLE USER( id int PRIMARY KEY auto_increment, username VARCHAR(32), PASSWORD VARCHAR(32));INSERT INTO USER VALUES(NULL,'张三','123');INSERT INTO USER VALUES(NULL,'李四','45