问题描述:
连接数据库,执行SQL语句是必不可少的,下面给出了三种执行不通SQL语句的方法。
1.简单的Statement执行SQL语句。有SQL注入,一般不使用。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
|
2.防止SQL注入的PreparedStatement执行SQL语句。
public static void testPreparedStatement(){ PreparedStatement pstm = null; ResultSet rs = null; DataBaseConn con = new DataBaseConn(); try{ pstm = con.getMssqlConn().prepareStatement("select * from tfixitem where fixitem_id = ?"); pstm.setInt(1, 2); rs = pstm.executeQuery(); if(rs.next()){ System.out.println("testPreparedStatement测试,FIXITEM_CODE = " + rs.getString("FIXITEM_CODE")); } }catch(Exception e){ e.printStackTrace(); } }
3.执行存储过程的CallableStatement执行存储过程SQL
public static void testCallableStatement(){ CallableStatement cstm = null; ResultSet rs = null; DataBaseConn con = new DataBaseConn(); try{ cstm = con.getMssqlConn().prepareCall("{call SP_QUERY_TFIXITEM(?,?,?,?,?,?,?,?)}"); cstm.setInt(1, 2); cstm.setInt(2, 1); cstm.setInt(3, 0); cstm.setInt(4, 0); cstm.setString(5, ""); cstm.setString(6, ""); cstm.setString(7, ""); cstm.setInt(8, 0); rs = cstm.executeQuery(); if(rs.next()){ System.out.println("testCallableStatement测试,FIXITEM_CODE = " + rs.getString("FIXITEM_CODE")); } }catch(Exception e){ e.printStackTrace(); } }