import java.sql.Connection;
import java.sql.Date;
import java.sql.PreparedStatement;
public class TestInsert {
public static void main(String[] args) {
Connection conn= null;
PreparedStatement st = null;
try {
conn = JdbcUtils.getConnection();
String sql = "insert into users(`id`,`name`,`password`,`email`,`birthday`)values(?,?,?,?,?)";
st = conn.prepareStatement(sql);
st.setInt(1,4);
st.setString(2,"字符串");
st.setString(3,"字符串");
st.setString(4,"字符串");
st.setDate(5,new Date(new java.util.Date().getTime()));
int flag = st.executeUpdate();
if (flag>0){
System.out.println("插入成功");
}
}catch (Exception e){
e.printStackTrace();
}finally {
JdbcUtils.release(conn,st);
}
}
}
import java.sql.Connection;
import java.sql.Date;
import java.sql.PreparedStatement;
public class TestDelete {
public static void main(String[] args) {
Connection conn= null;
PreparedStatement st = null;
try {
conn = JdbcUtils.getConnection();
String sql = "delete from users where id=?";
st = conn.prepareStatement(sql);
st.setInt(1,4);
int flag = st.executeUpdate();
if (flag>0){
System.out.println("删除成功");
}
}catch (Exception e){
e.printStackTrace();
}finally {
JdbcUtils.release(conn,st);
}
}
}
import java.sql.Connection;
import java.sql.Date;
import java.sql.PreparedStatement;
public class TestUpdate {
public static void main(String[] args) {
Connection conn= null;
PreparedStatement st = null;
try {
conn = JdbcUtils.getConnection();
String sql = "update users set `name`=? where id=?";
st = conn.prepareStatement(sql);
st.setString(1,"芜湖阿克曼");
st.setInt(2,4);
int flag = st.executeUpdate();
if (flag>0){
System.out.println("更新成功");
}
}catch (Exception e){
e.printStackTrace();
}finally {
JdbcUtils.release(conn,st);
}
}
}
import java.sql.Connection;
import java.sql.Date;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
public class TestSelect {
public static void main(String[] args) {
Connection conn= null;
PreparedStatement st = null;
ResultSet rs = null;
try {
conn = JdbcUtils.getConnection();
String sql = "select * from users where id=?";
st = conn.prepareStatement(sql);
st.setInt(1,1);
rs = st.executeQuery();
while (rs.next()){
System.out.println(rs.getString("name"));
}
}catch (Exception e){
e.printStackTrace();
}finally {
JdbcUtils.release(conn,st,rs);
}
}
}
PrepareStatement防止SQL注入的本质:
把传递进来的参数当做字符
假设其中存在转义字符,比如 ’ 会被直接转义