import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;public classJdbcQueryDongTai {static final String DRIVER = "oracle.jdbc.driver.OracleDriver";static final String URL = "jdbc:oracle:thin:@localhost:1521:orcl";static final String USERNAME = "scott";static final String PASSWORD = "scott";public static voidgetConnection(Teacher teacher) {
Connection conn= null;
PreparedStatement ps= null;
ResultSet rs= null;try{//导入oracle的jar包//加载驱动(反射技术)
Class.forName(DRIVER);//获取oracle的连接
conn =DriverManager.getConnection(URL, USERNAME, PASSWORD);//获取PreparedStatement:预编译的statement,预编译的意思:在sql传入值之前-->提前编译//还是一个静态的sql//String sql = "select * from teacher where id = " + teacher.getId();//动态的sql
String sql = "select * from teacher where id = ?";//String sql = "inset into teacher (id, name, age, description, hire_date) values(?,?,?,?,?)";
ps = conn.prepareStatement(sql);//首先会把sql提前编译好-->select * from teacher where id = ?;这里的问号就是一个占位符//把占位符替换为需要的数据//ps.setInt("sql语句中第几个问号", "需要把问号替换的值"); 第一个参数一定要从1开始,不能从0开始//ps.setInt(1, 3);//ps.setString(2, "lisi");
ps.setInt(1, 5);/**
* 为什么要使用preparedstatement而不用statement
* 1.statement会编译后直接执行,把传的参数一起编译进sql,但是preparedstatement会先把sql编译好,然后再把参数替换问号
* sql恶意注入:通过网络进行恶意攻击你的网站--->修改你的sql
* 在statement中会把参数编译进sql语句中:
* String sql2 = "select * from teacher where name = '"+teacher.getName()+"' and age="+teacher.getAge();
sql2 = "select * from teacher where name = '"+teacher.getName()+"' and age="+teacher.getAge()+";drop table teacher";
*
* 使用preparedstatement:
* String sql2 = "select * from teacher where name = '"+teacher.getName()+"' and age="+teacher.getAge();
"select * from teacher where name = teacher.getName() and age = teacher.getAge;"
*
* 2.执行的是同一条sql,如果经过10次查询,就会创建10个statement,但是经过10次查询只会创建一个preparedstatement对象,单例的思想
* 但是statement可以批量执行in,但是preparedstatement在sql1992不能,在sql1999就可以了*/
//如果是查询,调用executeQuery()
rs = ps.executeQuery();//sql在这里执行
while(rs.next()) {//和以前的代码是一样的
}
}catch(Exception e) {
e.printStackTrace();
}finally{//释放资源
if(rs != null) {try{
rs.close();
}catch(SQLException e) {
e.printStackTrace();
}
}if (ps != null) {try{
ps.close();
}catch(SQLException e) {
e.printStackTrace();
}
}if (conn != null) {try{
conn.close();
}catch(SQLException e) {
e.printStackTrace();
}
}
}
}
}