PreparedStatement 可以防止sql注入,因为是预编译 String sql ="select count(*) from user where username=? and password=?"; PreparedStatement ps = conn.prepareStatement(sql); //替换掉(问号) ps.setString(1,username); ps.setString(2,password); ResultSet rs = ps.executeQuery();
Statement Statement s = conn.createStatement(); String sql = "select count(*) from user where username='"+username+"' and password='"+password+"'"; System.out.println(sql); ResultSet rs = s.executeQuery(sql);