一. PreparedStatement与Statement的区别
1.不需要sql语句拼接,防止sql注入,更加安全
2.用占位符的方式写sql,便于后期维护,提高代码可读性,可以自动对类型进行转换
3.有预编译功能,可以大批量处理sql,(mysql不明显,Oracle很明显)
4.向数据库中添加一条数据
5.PreparedStatement:用于执行sql语句的对象
6.用connection的PreparedStatement(sql)方法获取
7.用executeUpdate(sql)执行sql语句
* 注意:只能执行 insert,update,delect,不能执行select
package jdbcparment;
import java.io.IOException;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.Properties;
/**
* 这是连接数据库的方法,放到此工具类中
* @return
* @throws IOException
*
*
*/
public class JDBCTools {
static Connection con;
static String url;
static Properties properties;
static{
//1.创建properties对象
properties = new Properties();
try {
//2.从类路径下加载db.properties文件
properties.load(JDBCTools.class.getClassLoader().getResourceAsStream("db.properties"));
//3.获取db.properties中加载的url信息
url=properties.getProperty("url");
} catch (IOException e) {
e.printStackTrace();
}
}
通过DriverManager的getConnection()方法获取数据库连接
public static Connection getConnections(){
try {
con = DriverManager.getConnection(url, properties);
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return con;
}
}
.Statement对象
public static void testStatement() throws SQLException{
System.out.println("请输入名字");
Scanner scanner = new Scanner(System.in);
String name = scanner.nextLine();
System.out.println("请输入密码");
String password = scanner.nextLine();
//调用getConnections
Connection con= JDBCTools.getConnections();
Statement statement = con.createStatement();
ResultSet result = statement.executeQuery("select * from users where name ='"+ name+"'|| password= '" + password + "'");
//'or' 1 '=' 1
while(result.next()){
String name1 = result.getString("name");
String pwd = result.getString("password");
String email = result.getString("email");
System.out.println("name:" + name1 + "\tpwd:" + pwd + "\temail:" + email);
}
result.close();
statement.close();
con.close();
}
public static void main(String[] args) {
try {
testStatement();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}finally{
}
}
PrepareStatement对象
public static void testPrepareStatement() throws SQLException{
System.out.println("请输入名字");
Scanner scanner = new Scanner(System.in);
String name = scanner.nextLine();
System.out.println("请输入密码");
String password = scanner.nextLine();
//调用getConnections
Connection con= JDBCTools.getConnections();
PreparedStatement pst = con.prepareStatement("select * from users where name = ? and password =? ");
pst.setString(1, name);
pst.setString(2, password);
ResultSet resultSet = pst.executeQuery();
while(resultSet.next()){
String name1 = resultSet.getString(2);
String pwd = resultSet.getString(3);
String email = resultSet.getString(4);
System.out.println("name:" + name1 + "\tpwd:" + pwd + "\temail:" + email);
}
resultSet.close();
pst.close();
con.close();
}
public static void main(String[] args) {
try {
testPrepareStatement();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}finally{
}
}
}