JDBC 的 Statement 操作数据库 和 PreparedStatement 解决 sql 注入的练习
import org.junit.Test;
import java.sql.*;
import java.util.Scanner;
public class t3 {
@Test
public void login() {
try {
Scanner sc = new Scanner(System.in);
System.out.println("请输入用户名");
String pname = sc.next();
System.out.println("请输入密码");
String page = sc.next();
Class.forName("com.mysql.jdbc.Driver");
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/day08?characterEncoding=utf-8","root","root");
Statement sta = conn.createStatement();
ResultSet rs = sta.executeQuery(
"select * from test1 where pname = '"+pname+"' "+" and page = '"+page+"' "
// 第一个 '"+pname+"' 第二个 "+" 第三个 '"+page+"'
);
if(rs.next()){
System.out.println("登录成功");
}else{
System.out.println("登录失败");
}
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (SQLException throwables) {
throwables.printStackTrace();
}
}
@Test
public void login2() {
try {
Scanner sc = new Scanner(System.in);
System.out.println("请输入用户名");
String pname = sc.next();
System.out.println("请输入密码");
String page = sc.next();
Class.forName("com.mysql.jdbc.Driver");
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/day08?characterEncoding=utf-8","root","root");
PreparedStatement ps = conn.prepareStatement(
"select * from test1 where pname =? and page =? "
// 没赋值 ?
);
ps.setString(1,pname);
ps.setString(2,page);
// 赋值 ?
ResultSet rs = ps.executeQuery(
);
if(rs.next()){
System.out.println("登录成功");
}else{
System.out.println("登录失败");
}
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (SQLException throwables) {
throwables.printStackTrace();
}
}
// 修改
@Test
public void alter(){
try {
Class.forName("com.mysql.jdbc.Driver");
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/day08?characterEncoding=utf-8","root","root");
PreparedStatement ps = conn.prepareStatement(
"update test1 set pname =? , page =? where pid=? "
// 没赋值 ?
);
ps.setString(1,"小李"