preparedStatement的介绍
- preparedstatement为statement的子接口
- prepared的优点 防止sql的攻击 提高代码的可读性和可维护性
- 提高效率
什么是sql攻击
例如:用户在登录的时候输入的账号和密码都是sql语句的片段。
preparedStatement实现防止sql攻击的代码实现
package cn.itcast.demo3;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import org.junit.Test;
/*
* 使用preparedStatement实现阻止sql攻击
*
*/
public class demo3 {
public boolean fun3(String username, String password) throws Exception {
/*
* 实现对jdbc的连接
*/
Connection con = null;
PreparedStatement prst = null;
ResultSet rs = null;
try {
String driverClassName = "com.mysql.jdbc.Driver";
String url = "jdbc:mysql://localhost:3306/mydb3";
String mysqlUsername = "root";
String mysqlPassword = "123";
Class.forName(driverClassName);
con = DriverManager
.getConnection(url, mysqlUsername, mysqlPassword);
// 给出sql模板,
String sql = "SELECT * FROM t_user WHERE username=? and password=?";
prst = con.prepareStatement(sql);
// 设置参数
prst.setString(1, username);
prst.setString(2, password);
// 查询参数
rs = prst.executeQuery();
return rs.next();
} catch (Exception e) {
throw new RuntimeException(e);
} finally {
if (rs == null)
rs.close();
if (prst == null)
prst.close();
if (con == null)
con.close();
}
}
/*
* 测试preparedStatement防止sql的功能是否正确
*/
@Test
public void fun4() throws Exception {
String username = "zhangsan";
String password = "123";
boolean b = fun3(username, password);
System.out.println(b);
}
}
控制台输出的结果
false