预处理通道可以有效地防止sql注入,更安全更可靠
下面这个例子附上源码:
Connection connection = null;
PreparedStatement pps = null;
//返回的结果集
ResultSet resultSet = null;
try {
//1. 加载驱动
Class.forName("com.mysql.cj.jdbc.Driver");
//2. 获得链接
String userName = "root"; //用户名
String passWord = "******"; //密码
String url = "jdbc:mysql://localhost:3306/mysqlgaoji?serverTimezone=UTC";
connection = DriverManager.getConnection(url, userName, passWord);
//3. 定义sql,创建预状态通道(进行sql语句的发送)
String sql = "select * from employee where name=? and title=?";
pps = connection.prepareStatement(sql);
//给占位符赋值(下标,内容) ? 作为占位符
pps.setString(1,"张三");
pps.setString(2,"程序员");
//执行sql
resultSet = pps.executeQuery();
if (resultSet.next()){
System.out.println("成功");
}else {
System.out.println("失败");
}
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (SQLException throwables) {
throwables.printStackTrace();
} finally {
try {
//5. 关闭资源
if (resultSet!=null) {
resultSet.close();
}
if (pps != null) {
pps.close();
}
if (connection != null) {
connection.close();
}
} catch (SQLException throwables) {
throwables.printStackTrace();
}
}
预处理通道的代码在:
//3. 定义sql,创建预状态通道(进行sql语句的发送)
String sql = "select * from employee where name=? and title=?";
pps = connection.prepareStatement(sql);
//给占位符赋值(下标,内容) ? 作为占位符
pps.setString(1,"张三");
pps.setString(2,"程序员");
//执行sql
resultSet = pps.executeQuery();
首先需要定义一条sql语句,这里就是用了?(英文符号)作为占位符,然后下面调用setString 语句进行赋值(下标,内容)此处setString可以按情况变为setInt等等,视情况而定。保证了程序运行的安全性。