PreparedStatement对象替代Statement解决sql注入
使用非法SQL语句(如' or 1==1 or '),
利用Statement对象的缺点,从而非法操作数据库表的行为,叫SQL注入。
public static void main(String[] args) throws Exception{
try{
DriverManager.registerDriver(new Driver());
//URL,数据库用户名,密码
Connection conn = DriverManager.getConnection("jdbc:mysql://127.0.0.1:3306/jdbc","root","root");
String sql = "select id,name,sal from users where name = ?";
PreparedStatement pstmt = conn.prepareStatement(sql);
//为?占位符设置值
//?只能代替实际值,不能代替表名,列名
//?从左向右,第一个?号为1,第二个?号为2,依次类推
pstmt.setString(1,name);
ResultSet rs = pstmt.executeQuery();
while(rs.next()){
int id = rs.getInt("id");
name = rs.getString("name");
int sal = rs.getInt("sal");
System.out.println(id);
System.out.println(name);
System.out.println(sal);
System.out.println("------------------------");
}
}catch(Exception e){
e.printStackTrace();
throw e;
}finally{
JdbcUtil.close(conn);
JdbcUtil.close(pstmt);
JdbcUtil.close(rs);
}
}