弊端:
Scanner scan = new Scanner(System.in);
String name = scan.next();
…
拼串
String sql = “insert into customers(name,email,birth)values(’” + name +"’,’"+email+"’,’"+birth+"’)";
**注释:**经常使用拼接符,繁琐
SQL注入:
SELECT user,password FROM user_table WHERE user = ‘1’ or ’ AND password = '=1 or ‘1’ = ‘1’
**注释:**即使密码输入不正确,通过非法的SQL语句操作同样可以登录成功
其他问题:
Statement没办法操作Blob类型变量
Statement实现批量插入时,效率较低
如何避免出现sql注入:
只要用PreparedStatement (从Statement扩展而来)取代Statement即可解决问题