对比statement和preparedstatement
statement存在SQL注入问题,preparedstatement解决了SQL注入问题。
statement:存在SQL注入现象,编译一次执行一次。
preparedstatement:解决了SQL注入问题,编译一次,可执行N次,且效率更高。
preparedstatement会在编译阶段做类型的安全检查
需要SQL注入情况
由上可知,大多数情况下,使用的均是preparedstatement,但是会存在极少数的情况需要使用statement。但凡业务需求中需要进行SQL注入或者需要进行SQL语句拼接时,则需要使用statement。
/** 需要SQL注入的情况* */import java.sql.*;import java.util.Map;import java.util.Scanner;public class Demo03 {public static void main(String[] args) {//用户在控制台输入desc就是降序,输入asc就是升序Scanner s = new Scanner(System.in);System.out.println("输入desc就是降序,输入asc就是升序");System.out.println("请输入:");String keyWords = s.nextLine();//执行SQLConnection conn = null;Statement stmt = null;ResultSet rs =null;try {//1.注册驱动Class.forName("com.mysql.jdbc.Driver");//2.获取连接conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/bjpowernode","root","333");//3.获取数据库操作对象stmt = conn.createStatement();//4.执行SQLString sql = "select ename from emp order by ename "+keyWords;rs= stmt.executeQuery(sql);//5.遍历查询结果while (rs.next()){System.out.println(rs.getString("ename"));}} catch (Exception e) {e.printStackTrace();}finally {if (rs != null){try {rs.close();}catch (SQLException e){e.printStackTrace();}}if (stmt != null){try {stmt.close();}catch (SQLException e){e.printStackTrace();}}if (conn != null){try {conn.close();}catch (SQLException e){e.printStackTrace();}}}}}
JDBC完成增删改任务
import java.sql.Connection;import java.sql.DriverManager;import java.sql.PreparedStatement;import java.sql.SQLException;/** JDBC 完成增删改** */public class Demo04 {public static void main(String[] args) {Connection conn = null;PreparedStatement ps =null;try {//1.注册驱动Class.forName("com.mysql.jdbc.Driver");//2.获取连接// conn = DriverManager.getConnection("jdbc:mysql//localhost:3306/bjpowernode","root","333");注意URL的书写格式conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/bjpowernode","root","333");conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/bjpowernode","root","333");//3.获取数据库操作对象,写SQL语句//增// String sql = "insert into dept (deptno,dname,loc) values(?,?,?)";// ps = conn.prepareStatement(sql);// ps.setInt(1,70);// ps.setString(2,"销售部");// ps.setString(3,"西安");//改// String sql = "update dept set dname= ?,loc = ? where deptno = ?";// ps = conn.prepareStatement(sql);// ps.setString(1,"研发一部");// ps.setString(2,"汉中");// ps.setInt(3,60);//删String sql = "delete from dept where deptno = ?";ps = conn.prepareStatement(sql);ps.setInt(1,70);//4.执行SQL语句int count = ps.executeUpdate();System.out.println(count);//5.遍历查询结果集// while ()} catch (Exception e) {e.printStackTrace();}finally {if (ps !=null){try {ps.close();} catch (SQLException e) {e.printStackTrace();}}}if(conn !=null){try {conn.close();} catch (SQLException e) {e.printStackTrace();}}}}