JDBC工具类 Ⅲ
3. PreparedStatement 使用
3.1 PreparedStatement 基本使用案例
@Test
public void testInsert() {
Connection connection = null;
PreparedStatement statement = null;
connection = JdbcUtil.getConnection();
String sql = "insert into javaee2011.student(id, name, age, gender, score, info) values(?,?,?,?,?,?)";
try {
statement = connection.prepareStatement(sql);
statement.setObject(1, 20);
statement.setObject(2, "可莉");
statement.setObject(3, 75);
statement.setObject(4, 0);
statement.setObject(5, 5);
statement.setObject(6, "星落湖鱼塘杀手");
int i = statement.executeUpdate();
System.out.println(i);
} catch (SQLException e) {
e.printStackTrace();
} finally {
JdbcUtil.close(connection, statement);
}
}
3.2 PreparedStatement代码演示
package com.qfedu.a_jdbc;
import util.JdbcUtil;
import java.sql.*;
public class Demo3 {
private static String name = "七七";
private static String password = "这么写依旧可以执行出来,是一个安全漏洞' or 1=1 -- ";
public static void main(String[] args) {
testStatement();
testPreparedStatement();
}
public static void testStatement() {
Statement statement = null;
ResultSet resultSet = null;
Connection connection = null;
connection = JdbcUtil.getConnection();
String sql = "select * from javaee2011.person6 where name = '" + name + "' and password = '" + password + "'";
try {
statement = connection.createStatement();
resultSet = statement.executeQuery(sql);
if (resultSet.next()) {
System.out.println("Statement 登陆验证成功");
} else {
System.out.println("Statement 登陆验证失败");
}
} catch (SQLException e) {
e.printStackTrace();
} finally {
JdbcUtil.close(connection, statement, resultSet);
}
}
public static void testPreparedStatement() {
ResultSet resultSet = null;
Connection connection = null;
PreparedStatement statement = null;
connection = JdbcUtil.getConnection();
String sql = "select * from javaee2011.person6 where name = ? and password = ?";
try {
statement = connection.prepareStatement(sql);
statement.setObject(1, name);
statement.setObject(2, password);
resultSet = statement.executeQuery();
if (resultSet.next()) {
System.out.println("PreparedStatement 登陆验证成功");
} else {
System.out.println("PreparedStatement 登陆验证失败");
}
} catch (SQLException e) {
e.printStackTrace();
} finally {
JdbcUtil.close(connection, statement, resultSet);
}
}
}