首先来看一下未经预处理的小程序,这个小程序是注册和登录功能,静态的sql 语句,语法不确定性,通过 stmt 执行【Statement stmt 创建】,但这样的话可能会给懂的一些语言的人轻松破解你账户的机会,所以MySQL为了防止这种方式的发生,提供了一种预处理的机制PreparedStatement pstmt
package 未预处理的结果;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Scanner;
/**
* @author Draco-_-
* @see 未预处理的后果,stmt静态语句,语法不确定性,可能会导致别人破解你的账户
* @version
* @date-time 2020-03-17 - 上午9:46:59
*/
public class Test {
Scanner scanner = new Scanner(System.in);
public static void main(String[] args) {
Test t = new Test();
System.out.println("欢迎来到小程序~~");
System.out.println("1——>注册");
System.out.println("2——>登录");
System.out.println("0——>退出");
System.out.print("请选择功能序号:");
int i = t.scanner.nextInt();
switch (i) {
case 1:
t.zhuce();
break;
case 2:
t.denglu();
break;
case 0:
System.out.println("退出成功,欢迎下次再来~~");
break;
}
}
public void zhuce() {
Connection conn;
Statement stmt;// 不是预处理的,正常的
ResultSet rs;
String url = "jdbc:mysql://localhost:3308/crx654";
String user = "root";
String password = "mysql";
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url, user, password);
stmt = conn.createStatement();
System.out.println("欢迎来到注册功能模块");
System.out.print("请输入用户名:");
String name = scanner.next();
System.out.print("请输入密码:");
String psd = scanner.next();
String sql = "insert into userinfo(username,psd) values('" + name + "','" + psd + "')";
int i = stmt.executeUpdate(sql);
if (i == 1) {
System.out.println("操作成功");
} else {
System.out.println("操作失败");
}
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (SQLException e) {
e.printStackTrace();
}
}
/**
* @see 此登录方法只是简单提供登录失败的信息
*/
public void denglu() {
Connection conn;
Statement stmt;// 不是预处理的,正常的
ResultSet rs;
String url = "jdbc:mysql://localhost:3308/user";
String user = "root";
String password = "mysql";
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url, user, password);
stmt = conn.createStatement();
System.out.println("欢迎来到登录功能模块");
System.out.print("请输入用户名:");
String name = scanner.next();
System.out.print("请输入密码:");
String psd = scanner.next();
String sql = "select * from userinfo where username='" + name + "' and psd='" + psd + "'";
rs = stmt.executeQuery(sql);
if (rs.next()) {
System.out.println("登录成功");
} else {
System.out.println("登录失败");
}
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
经过预处理之后的jdbc代码,只需要更换【Statement stmt; 】——>【PreparedStatement pstmt;】,其他的 jdbc 顺序不变
package jdbc的预处理;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Scanner;
/**
* @author Draco-_-
* @see 经过PreparedStatement预处理的jdbc语句,动态的语句,语法先确定,不会影响sql的语法,避免了sql的注入问题
* @version
* @date-time 2020-03-17 - 下午7:37:25
*/
public class Test {
Scanner scanner = new Scanner(System.in);
public static void main(String[] args) {
Test t = new Test();
// t.zhuce();
t.denglu();
}
public void zhuce() {
Connection conn;
PreparedStatement pstmt;// 是经过预处理的
// Statement stmt;// 不是预处理的,正常的
String url = "jdbc:mysql://localhost:3308/crx654";
String user = "root";
String password = "mysql";
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url, user, password);
//变量用?代替
String sql = "insert into userinfo(username,psd) values(?,?)";
pstmt = conn.prepareStatement(sql);// 直接要sql语句来预编译
System.out.println("欢迎来到注册功能模块");
System.out.print("请输入用户名:");
String name = scanner.next();
System.out.print("请输入密码:");
String psd = scanner.next();
//给两个??赋值
pstmt.setString(1, name);//第一个
pstmt.setString(2, psd);//第二个
int i = pstmt.executeUpdate();
if (i == 1) {
System.out.println("操作成功");
} else {
System.out.println("操作失败");
}
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (SQLException e) {
e.printStackTrace();
}
}
public void denglu() {
Connection conn;
PreparedStatement pstmt;// 是经过预处理的
// Statement stmt;// 不是预处理的,正常的
ResultSet rs;
String url = "jdbc:mysql://localhost:3308/user";
String user = "root";
String password = "mysql";
try {
Class.forName("com.mysql.jdbc.Driver");
conn = DriverManager.getConnection(url, user, password);
//变量用?代替
String sql = "select * from userinfo where username=? and psd=?";
pstmt = conn.prepareStatement(sql);// 直接要sql语句来预编译
System.out.println("欢迎来到登录功能模块");
System.out.print("请输入用户名:");
String name = scanner.next();
System.out.print("请输入密码:");
String psd = scanner.next();
//给两个??赋值
pstmt.setString(1, name);//第一个
pstmt.setString(2, psd);//第二个
rs = pstmt.executeQuery();
if(rs.next()) {
System.out.println("登录成功");
}else {
System.out.println("登录失败");
}
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
最后,上面的两个Java的运行的效果是一样的,但是大家不觉得这样写 jdbc 代码会冗余吗,所以下一篇将会写一篇关于 jdbc 封装的博文,到时候会给一个链接的。
谢谢观看,如有错误,还请不吝赐教