JDBC中Statement接口的用法中需要注意sql注入的问题
在Statement接口中字符串只能以拼接的形式进行传递
package cn.com.jdbc;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.sql.Statement;
@SuppressWarnings("all")
public class Demo02 {
//测试执行SQL语句以及SQL注入问题
public static void main(String[] args) {
try {
//加载驱动类
Class.forName("com.mysql.jdbc.Driver");
//建立连接
Connection c = DriverManager.getConnection("jdbc:mysql://localhost:3306/testjdbc","root","123456");
Statement st = c.createStatement();
// String sql = "insert into t_user(id,name,gender) values(4,\"小红\",\"女\")";
String name = "小军";
String sql = "insert into t_user(id,name,gender) values(5,'"+name+"','男')";//字符串只能拼接的形式
st.execute(sql);
//测试SQL注入
// String id = "5 or 1 = 1";
// String sql = "delete from t_user where id ="+id;
// st.execute(sql);
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
这里面的values里面用?(占位符)来表示,避免了SQL注入的问题,并且有对应的set类型的方法和setObject()方法
package cn.com.jdbc;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.SQLException;
@SuppressWarnings("all")
public class Demo03 {
//测试PreparedStatement的基本用法
public static void main(String[] args) {
try {
// //加载驱动类
// Class.forName("com.mysql.jdbc.Driver");
// //建立连接
// Connection c = DriverManager.getConnection
// ("jdbc:mysql://localhost:3306/testjdbc","root","123456");
// String sql = "insert into t_user(id,name,gender) values(?,?,?)"; //?占位符 防止SQL注入
// PreparedStatement ps = c.prepareStatement(sql);
ps.setString(1,"小明"); //jdbc中参数索引从1 开始计算
ps.setString(2,"男");
// ps.setInt(1,5);
// ps.setString(2,"小高");
// ps.setString(3,"男");
//
ps.setObject(1,"小亮");
ps.setObject(2,"男");
// System.out.println("插入一行数据");
// ps.execute();
Class.forName("com.mysql.jdbc.Driver");
Connection c = DriverManager.getConnection("jdbc:mysql://localhost:3306/testjdbc","root","123456");
String sql = "insert into t_user(id,name,gender) values(?,?,?)";
PreparedStatement ps = c.prepareStatement(sql);
ps.setObject(1,"8");
ps.setObject(2,"小浩");
ps.setObject(3,"男");
System.out.println("执行添加语句");
ps.execute();
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (SQLException e) {
e.printStackTrace();
}
}
}