PreparedStatemen
1、预编译SQL语句并执行,预防SQL注入问题
对关键字进行转义
登录模块
package com.avb.jdbc; import java.sql.Connection; import java.sql.DriverManager; import java.sql.ResultSet; import java.sql.Statement; public class loginin { public static void main(String[] args) throws Exception { //注册驱动 Class.forName("com.mysql.jdbc.Driver"); //获取连接 String url = "jdbc:mysql://127.0.0.1:3306/db1"; String username = "root"; String password = "root"; Connection conn = DriverManager.getConnection(url, username, password); String name = "abc"; String pwd = "123"; //定义sql String sql = "select * from user where username = '" + name + "' and password = '" + pwd + "'"; //获取执行sql的对象Statement Statement stmt = conn.createStatement(); ResultSet rs = stmt.executeQuery(sql); if (rs.next()) { System.out.println("登录成功"); } else { System.out.println("登录失败"); } rs.close(); stmt.close(); conn.close(); } }
使用PrepareStatement
package com.avb.jdbc; import java.sql.*; public class loginin { public static void main(String[] args) throws Exception { //注册驱动 Class.forName("com.mysql.jdbc.Driver"); //获取连接 String url = "jdbc:mysql://127.0.0.1:3306/db1"; String username = "root"; String password = "root"; Connection conn = DriverManager.getConnection(url, username, password); String name = "abc"; String pwd = "123"; //定义sql String sql = "select * from user where username = ? and password = ?"; //获取执行sql的对象Statement PreparedStatement pstmt = conn.prepareStatement(sql); //获取pstm对象 pstmt.setString(1,name); pstmt.setString(2,pwd); //执行sql ResultSet rs = pstmt.executeQuery(); if (rs.next()) { System.out.println("登录成功"); } else { System.out.println("登录失败"); } rs.close(); pstmt.close(); conn.close(); } }