PreparedStatement:
执行sql的对象. 该使用安全!
例子:
package com.ujn.jdbcDemo.jdbc_basic;
import com.ujn.jdbcUtils.DBUtils;
import java.sql.*;
import java.util.Scanner;
public class Login {
public static void main(String[] args) {
if (Login.login_method2()){
System.out.println("登录成功!");
}else {
System.out.println("登陆失败!");
}
}
/**
* 登录方法1---(安全)
*/
public static boolean login_method1(){
Scanner sc = new Scanner(System.in);
System.out.println("请输入用户名:");
String name = sc.next();
System.out.println("请输入密码:");
String pass = sc.next();
if (name == null || pass == null){
return false;
}
Connection conn = null;
Statement stat = null;
ResultSet res = null;
try {
conn = DBUtils.getConn();
String sql = "select * from logininfos";
stat = conn.createStatement();
res = stat.executeQuery(sql);
while (res.next()){
if (name.equals(res.getString("username")) && pass.equals(res.getString("password"))){
return true;
}
}
} catch (Exception e) {
e.printStackTrace();
} finally {
DBUtils.close(res, stat, conn);
}
return false;
}
/**
* 登录方法2---(不安全 存在sql注入)
*/
public static boolean login_method2(){
Scanner sc = new Scanner(System.in);
System.out.println("请输入用户名:");
String name = sc.next();
System.out.println("请输入密码:");
String pass = sc.next();
if (name == null || pass == null){
return false;
}
Connection conn = null;
Statement stat = null;
ResultSet res = null;
try {
conn = DBUtils.getConn();
String sql = "select * from logininfos where username ='" + name + "'and password ='" + pass +"'";
System.out.println(sql);
stat = conn.createStatement();
res = stat.executeQuery(sql);
return res.next();
} catch (Exception e) {
e.printStackTrace();
} finally {
DBUtils.close(res, stat, conn);
}
return false;
}
/**
* 登录方法3---(安全 使用了PreparedStatement)
*/
public static boolean login_method3(){
Scanner sc = new Scanner(System.in);
System.out.println("请输入用户名:");
String name = sc.next();
System.out.println("请输入密码:");
String pass = sc.next();
if (name == null || pass == null){
return false;
}
Connection conn = null;
PreparedStatement pstat = null;
ResultSet res = null;
try {
conn = DBUtils.getConn();
String sql = "select * from logininfos where username = ? and password = ?";
pstat = conn.prepareStatement(sql);
pstat.setString(1, name);
pstat.setString(2, pass);
res = pstat.executeQuery();
return res.next();
} catch (Exception e) {
e.printStackTrace();
} finally {
DBUtils.close(res, pstat, conn);
}
return false;
}
}
测试结果: