jdbc编写工具类并测试

1.工具类

package com.mahui.Lesson02.utils;
import java.io.InputStream;
import java.sql.*;
import java.util.Properties;

public class jdbcUtils {
    private static String driver =null;
    private static String url =null;
    private static String username=null;
    private static String password=null;
    static{
        try {
            //加载配置文件
            //获得一个input流
            InputStream in = jdbcUtils.class.getClassLoader().getResourceAsStream("db.properties");
            Properties properties = new Properties();
            properties.load(in);
          driver= properties.getProperty("driver");
          url=properties.getProperty("url" );
          username=properties.getProperty("username");
          password=properties.getProperty("password");
          //加载驱动 只加载一次
            Class.forName(driver);

        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    //获得连接
    public static Connection getConnection() throws SQLException {
           return  DriverManager.getConnection(url, username, password);
    }
    //释放资源
    public static  void release(Connection coon,Statement st ,ResultSet rs){
        if(rs!=null){
            try {
                rs.close();
            } catch (SQLException e) {
                e.printStackTrace();
            }
        }

        if(st!=null){
            try {
                st.close();
            } catch (SQLException e) {
                e.printStackTrace();
            }
        }
        if(coon!=null){
            try {
                coon.close();
            } catch (SQLException e) {
                e.printStackTrace();
            }
        }
    }

}

2.测试

1. statement对象
1.增加
package com.mahui.Lesson02;

import com.mahui.Lesson02.utils.jdbcUtils;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class TestInsert {

    public static void main(String[] args) {
        Connection conn =null;
        Statement st=null;
        ResultSet rs=null;
        try {
            conn= jdbcUtils.getConnection();
            String sql="INSERT INTO users(`id`,`NAME`,`PASSWORD`,`email`,`birthday`)" +
                    "VALUES (4,'哈士奇','124563','12354552@qq.com','2020-02-01')";
            st=conn.createStatement();
            int i = st.executeUpdate(sql);
            if(i>0){
                System.out.println("插入成功");
            }
            //释
            jdbcUtils.release(conn,st,rs);

        } catch (SQLException e) {
            e.printStackTrace();
        }

    }
}

2.删除
package com.mahui.Lesson02;

import com.mahui.Lesson02.utils.jdbcUtils;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class TestDelete {

    public static void main(String[] args) {
        Connection conn=null;
        Statement st =null;
        ResultSet rs=null;
        try {
            //获取连接
           conn = jdbcUtils.getConnection();
            //获取statement对象
            st = conn.createStatement();
            String sql="DELETE FROM users WHERE id=4";
            //执行statement对象
            int i = st.executeUpdate(sql);
            if(i>0){
                System.out.println("删除成功");
            }
            //释放资源
            jdbcUtils.release(conn,st,rs);
        } catch (SQLException e) {
            e.printStackTrace();
        }
    }
}

3.修改
package com.mahui.Lesson02;

import com.mahui.Lesson02.utils.jdbcUtils;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class TestUpdate {
    public static void main(String[] args) {
        Connection conn= null;
        Statement st=null;
        ResultSet rs =null;

        try {
          conn = jdbcUtils.getConnection();
          String sql ="UPDATE users SET NAME=\"灰太狼\" WHERE id=1";
          st = conn.createStatement();
            int i = st.executeUpdate(sql);
            if(i>0){
                System.out.println("更新成功");
            }
            jdbcUtils.release(conn,st,rs);
        } catch (SQLException e) {
            e.printStackTrace();
        }
    }
}

4.查询
package com.mahui.Lesson02;

import com.mahui.Lesson02.utils.jdbcUtils;

import javax.swing.plaf.nimbus.State;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class TestSelect {
    public static void main(String[] args) {
        Connection conn=null;
        Statement st =null;
        ResultSet rs =null;
        try {
            conn  = jdbcUtils.getConnection();
            String sql="select * from users where id =1";
            st= conn.createStatement();
            rs = st.executeQuery(sql);
            while(rs.next()){
                System.out.println(rs.getString("NAME"));
            }
            jdbcUtils.release(conn,st,rs);
        } catch (SQLException e) {
            e.printStackTrace();
        }
    }
}

5.sql注入 成功

不安全可以差寻所有的信息

package com.mahui.Lesson02;

import com.mahui.Lesson02.utils.jdbcUtils;

import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class SqlInjection {
    public static void main(String[] args) {
       //正常登录 login("lisi","123456");
        //sql注入 ''or'1=1'  拼接字符串
        login("' or '1=1","'or '1=1");
    }
    public static void  login(String username,String password){
        Connection conn =null;
        Statement st=null;
        ResultSet rs =null;


        try {
            conn = jdbcUtils.getConnection();
            //SELECT * FROM users WHERE `NAME`='lisi' AND `PASSWORD`='123456'
            //name=''or'1=1'  password=''or'1=1'
            //SELECT * FROM users WHERE `NAME`='"+username+"' AND `PASSWORD`='"+password+"'"
            String sql ="SELECT * FROM users WHERE `NAME`='"+username+"' AND `PASSWORD`='"+password+"'";
            st = conn.createStatement();
            rs = st.executeQuery(sql);
             while(rs.next()){
                 System.out.println("username="+ rs.getObject("NAME"));
                 System.out.println("password="+ rs.getObject("password"));
                 System.out.println("=================================");
             }

        } catch (SQLException e) {
            e.printStackTrace();
        }
        finally {
            jdbcUtils.release(conn,st,rs);
        }
    }
}

2. PreparedStatement对象

防止了sql注入

本质是:将传入的参数当作字符 如果传递进来的参数含有转义字符,则会被直接转义

1.增加
package com.mahui.Lesson03;


import com.mahui.Lesson02.utils.jdbcUtils;

import java.sql.Connection;
import java.util.Date;
import java.sql.PreparedStatement;
import java.sql.SQLException;

public class TestInsert {
    public static void main(String[] args) {
        Connection conn=null;
        PreparedStatement st=null;
        try {
            //获得连接
          conn=  jdbcUtils.getConnection();
          //使用? 占位符
          String sql="INSERT into users(`id`,`NAME`,`PASSWORD`,`email`,`birthday`) values (?,?,?,?,?)";
          //sql预编译
          st =conn.prepareStatement(sql);
          //设置值
          st.setInt(1,4);
          st.setString(2,"灰太狼");
          st.setString(3,"1234566");
          st.setString(4,"123@qq.com");
          //new Date().getTime()时间戳  放入sql的date中
          st.setDate(5,new java.sql.Date(new Date().getTime()));
            int i = st.executeUpdate();
            if(i>0){
                System.out.println("插入成功!");
            }
        } catch (SQLException e) {
            e.printStackTrace();
        }finally {
            jdbcUtils.release(conn,st,null);
        }
    }
}

2.删除
package com.mahui.Lesson03;

import com.mahui.Lesson02.utils.jdbcUtils;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.SQLException;

public class TestDelete {
    public static void main(String[] args) {
        Connection conn =null;
        PreparedStatement st=null;
        try {
           conn = jdbcUtils.getConnection();

           String sql ="DELETE from users where id=?";
           st=conn.prepareStatement(sql);
           st.setInt(1,4);
            int i = st.executeUpdate();
            if(i>0){
                System.out.println("删除成功!");
            }

        } catch (SQLException e) {
            e.printStackTrace();
        }
        finally {
            jdbcUtils.release(conn,st,null);
        }
    }
}

3.更新
package com.mahui.Lesson03;

import com.mahui.Lesson02.utils.jdbcUtils;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.SQLException;

public class TestUpdate {
    public static void main(String[] args) {
        Connection conn= null;
        PreparedStatement st =null;
        try {
         conn=    jdbcUtils.getConnection();

         String sql ="update users set `name` =?where id=?";
         st= conn.prepareStatement(sql);

         st.setString(1,"喜羊羊");
         st.setInt(2,1);

            int i = st.executeUpdate();
            if(i>0){
                System.out.println("更新成功!");
            }
        } catch (SQLException e) {
            e.printStackTrace();
        }finally {
            jdbcUtils.release(conn,st,null);
        }
    }
}

4.查询
package com.mahui.Lesson03;

import com.mahui.Lesson02.utils.jdbcUtils;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;

public class TestSelect {
    public static void main(String[] args) {
        Connection conn =null;
        PreparedStatement st =null;
        ResultSet rs=null;
        try {
            conn =jdbcUtils.getConnection();

            String sql="select * from users where id=?";
            st =conn.prepareStatement(sql);
            st.setInt(1,1);
            rs =st.executeQuery();
            while(rs.next()){
                System.out.println(rs.getObject("NAME"));
            }
        } catch (SQLException e) {
            e.printStackTrace();
        }finally {
            jdbcUtils.release(conn,st,rs);
        }
    }
}

5.sql注入测试 失败

注入不成功

package com.mahui.Lesson03;

import com.mahui.Lesson02.utils.jdbcUtils;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;

public class SqlInjection {
    public static void main(String[] args) {

       // 正常登录 login("lisi","123456");

        //执行但是查不出来任何的信息
        login("''or 1=1","''or 1=1");
    }
    public  static void login(String username,String password){
        Connection conn=null;
        PreparedStatement st =null;
        ResultSet rs =null;
        try {
            conn =jdbcUtils.getConnection();
            String sql="select * from users where `NAME`=? and `PASSWORD`=?";
            //PreparedStatement 防止sql注入的本质是:把传递进来的参数当作字符。
            //假设其中有转义字符,比如说’会被直接转义
            st =conn.prepareStatement(sql);
            st.setString(1,username);
            st.setString(2,password);
            rs = st.executeQuery();

            while (rs.next()){
                System.out.println("登录成功");
            }
        } catch (SQLException e) {
            e.printStackTrace();
        }
        finally {
            jdbcUtils.release(conn,st,rs);
        }
    }
}

已标记关键词 清除标记
©️2020 CSDN 皮肤主题: 游动-白 设计师:上身试试 返回首页