Statement和PreparedStatement的区别（使用JDBCUtils工具类）

Statement可能会发生Sql注入情况，但是PreparedStatement不会发生

package com.alex.jdbc;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.Statement;
import java.util.Scanner;

import org.junit.Test;

import com.alex.util.JDBCUtils;



public class TestConnection05 {
	
	Scanner scanner = new Scanner(System.in);
	//登录测试
	//Statement这种方式容易引起SQL注入
	//Statement查询操作展示
	@Test
	public void test_Statement() throws Exception{
		
		System.out.println("请输入用户名：");
		String username = scanner.next();
		
		System.out.println("请输入用户密码：");
		String password = scanner.next();
		//打开连接
		Connection connection = JDBCUtils.getConnection();
		
		Statement statement = connection.createStatement();
		
		String sql = "select COUNT(*) from admin where username='"+username+"' and `password`='"+password+"'";
		ResultSet resultSet = statement.executeQuery(sql);
	
		if(resultSet.next()){
			int count = resultSet.getInt(1);
			System.out.println(count > 0 ? "success":"fail");
		}
	
		JDBCUtils.closeConnection(resultSet, statement, connection);
	}
	
    //PreparedStatement查询操作展示
 	@Test
    public void test_PreparedStatement() throws Exception{

    	System.out.println("请输入用户名：");
		String username = scanner.next();
		
		System.out.println("请输入用户密码：");
		String password = scanner.next();
		//打开连接
		//?占位符
		Connection connection = JDBCUtils.getConnection();
		String sql="select COUNT(*) from admin where username= ? and `password`= ?";
		PreparedStatement prepareStatement = connection.prepareStatement(sql);
		//索引从一开始
		prepareStatement.setString(1, username);
		prepareStatement.setString(2, password);
		
		
		ResultSet resultSet=prepareStatement.executeQuery();
  
		if(resultSet.next()){
			int count = resultSet.getInt(1);
			System.out.println(count > 0 ? "success":"fail");
		}
	
		JDBCUtils.closeConnection(resultSet, prepareStatement, connection);
    
    }

}