防止sql注入方式:
1.在jdbc的PreparedStatement 用?占位符
1.在jdbc的PreparedStatement 用?占位符
String sql= "SELECT * FORM emp where ENAME=?";
PreparedStatement ps = connect.preparedStatement(sql);
ps.setString(1,'KING');
ResultSet rs = ps.executeQuery();
2.在Hibernate的hql中使用=:或者?
Query query=session.createQuery("SELECT * FORM emp where ENAME=:name"); 或者
Query query=session.createQuery("SELECT * FORM emp where ENAME=?");
3.在mybatis中使用#{param}
<select id="selectByName">
select * from user WHERE name = #{name}
</select>