连接数据库
//加载驱动
Class.forName("com.mysql.jdbc.Driver");
String url = "jdbc:mysql://localhost:3306/xxx?useUnicode=true&characterEncoding=utf8";
//创建连接对象
Connection sqlcon = DriverManager.getConnection(url, "root", "");
statement执行sql语句
String url="jdbc:mysql://localhost:3306/xxx? useUnicode=true&characterEncoding=utf8";
String user="root";
String pwd="";
String sql ="insert into student(stuname,stuno,stusex,age,clsname) values(?,?,?,?,?)";
Connection sqlcon = null;
try{
//加载驱动
Class.forName("com.mysql.jdbc.Driver");
//创建链接对象
sqlcon = DriverManager.getConnection(url, user, pwd);
//创建执行对象
PreparedStatement pst = sqlcon.prepareStatement(sql);
//给占位符赋值(使用占位符可以实现避免sql注入攻击)
pst.setString(1, "王二麻子");
pst.setString(2, "S012");
pst.setString(3,"男");
pst.setInt(4, 30);
pst.setString(5, "三 班");
//执行sql语句返回受影响的行数
int iline = pst.executeUpdate();
if(iline>0){
System.out.println("执行成功。。。");
}else{
System.out.println("执行失败。。。");
}
//第一步 编写sql语句
String sql ="insert into student(stuname,stuno,stusex,age,clsname) values('马良','s2019019','男',20,'三班')";
sql="update student set stuno='S010' where id=10";
//第二步 获取链接对象
Connection con=Test2.getConnection();
//创建执行对象
Statement stm = con.createStatement();
//执行sql语句
int iline = stm.executeUpdate(sql);
//判断是否执行成功
if(iline>0){
System.out.println("保存成功。。。");
}else{
System.out.println("保存失败。。。");
}
==============================================
String url="jdbc:mysql://localhost:3306/xxx?useUnicode=true&characterEncoding=utf8";
String user="root";
String pwd="";
String param="%张' or 1=1 or 1='%";
String sql ="select * from student where stuname like ? ";
Connection sqlcon = null;
try{
//加载驱动
Class.forName("com.mysql.jdbc.Driver");
//创建链接对象
sqlcon = DriverManager.getConnection(url, user, pwd);
//创建执行对象
PreparedStatement pst = sqlcon.prepareStatement(sql);
//给占位符赋值(使用占位符可以实现避免sql注入攻击)
pst.setString(1, "%张' or 1=1 or 1='%");
//执行sql语句返回受影响的行数
ResultSet rst= pst.executeQuery();
while(rst!=null && rst.next()){
System.out.println(rst.getString("stuname"));
}
关闭连接
if(sqlcon!=null){
sqlcon.close();
}