- 预处理
Statement有sql注入问题,例如:select * from T_users where loginName = ‘"+loginName+"’ and userPwd = ‘’ or ‘1’ = '1’符合条件,这样就不需要判断。 - PrepareStatement和Statement 区别
1.PreparedStatement接口是Statement的子接口
2.PrepareStatement 预编译可以防止sql注入问题,保证安全性
3.PrepareStatement对象对于执行效率要比Statement执行效率高 - 案例
1.com.oracle.pojo
package com.oracle.pojo;
public class Users {
//数据库---->实体类
private int userid;
private String loginname;
private String userpwd;
private String realname;
public int getUserid() {
return userid;
}
public void setUserid(int userid) {
this.userid = userid;
}
public String getLoginname() {
return loginname;
}
public void setLoginname(String loginname) {
this.loginname = loginname;
}
public String getUserpwd() {
return userpwd;
}
public void setUserpwd(String userpwd) {
this.userpwd = userpwd;
}
public String getRealname() {
return realname;
}
public void setRealname(String realname) {
this.realname = realname;
}
@Override
public String toString() {
return "Users [userid=" + userid + ", loginname=" + loginname + ", userpwd=" + userpwd + ", realname="
+ realname + "]";
}
}
2.com.oracle.util
package com.oracle.util;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
public class DBUtils {
public static final String URL = "jdbc:mysql:///java210601?characterencoding = UTF8";
public static final String USER = "root";
public static final String PSSWORD = "root";
static {
try {
Class.forName("com.mysql.jdbc.Driver");
} catch (ClassNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
public static Connection getConnection(){
Connection conn= null;
try {
conn = DriverManager.getConnection(URL, USER