PreparedStatementの使い方の詳細
8482 ワード
:
/**
* PrepareStatement
*/
/**
* Statement, SQL , , insert
*
* , , SQL ,SQL , , ,
* , , , , '1 or 1',
* , , , Statement,
* SQL , , ,
* SQL
*
* , , insert into test_user(name,age) values(' ',25)
* insert into test_user(name,age) values(' ',26)
* SQL , , MySQL SQL ,
* SQL , SQL
* ,Statement SQL ,
*
* PreparedStatement,
* 1、SQL , PreparedStatement , SQL , ?
* , , 。 PreparedStatement
* , , SQL
* 2、 , PreparedStatement , SQL , ,
* ?, SQL , MySQL , SQL ,
* ,
*/
private static void preparedStatement() {
// JDBC
// 1、 :Class.forName()
// 2、 :DriverManager.getConnection()
// 3、 SQL :Connection.createStatement()
// 4、 SQL :Statement.executeUpdate()
// 5、 :finally,Connection.close()
//
// JDBC , java.sql
// java.sql , java JDBC ,
// , , com.mysql.jdbc
Connection conn=null;
// SQL :PrepareStatement
//PreparedStatement , Connection
// , SQL
// insert update delete select
PreparedStatement ps=null;
try {
// , , java.sql ,
// JDBC ,
// Class.forName()
// Class.forName() Java , ( + )
// (.class ) , Class
Class.forName("com.mysql.jdbc.Driver");
//
// DriverManager.getConnection()
// , url、user、password
// url , “ : :// : // ”
conn = DriverManager.getConnection(
"jdbc:mysql://localhost:3306/spark_project?characterEncoding=utf8",
"root",
"root"
);
// Connection , SQL ,Statement
// prepareStatement , Connection
// java , prepareStatement , MySQL SQL
// SQL
// ,SQL , ,
String sql = "insert into user(name,age) values(?,?)";
ps = conn.prepareStatement(sql);
// , PreparedStatement setX() ,
ps.setString(1," ");
ps.setInt(2,26);
// Statement.executeUpdate() , insert、update、delete
// int , SQL
// , SQL , executeUpdate() ,
int rtn = ps.executeUpdate();
System.out.println("SQL 【" + rtn + "】 。");
}catch (Exception e){
e.printStackTrace();
}finally {
try {
// finally , SQL ,
if (ps != null){
ps.close();
}
if (conn !=null){
conn.close();
}
}catch (Exception e){
e.printStackTrace();
}
}
}
:
jdbc(java database connectivity,java ) api java.sql.statement 。 statement jdbc :2002-02-05 20:56 02/05/02 8:56 pm。
java.sql.preparedstatement, 。 preparedstatement java.sql.connection sql ,sql (?), , , , :
stringsql = "select * from people p where p.id = ? and p.name = ?";
preparedstatement ps = connection.preparestatement(sql);
ps.setint(1,id);
ps.setstring(2,name);
resultset rs = ps.executequery();
preparedstatement 。 :
stringsql = "select * from people p where p.i = "+id;
jvm(javavirtual machine,java ) / 。
preparedstatement 。 sql , sql 。
preparedstatement , , sql statement。
preparedstatement :
package jstarproject;
import java.sql.*;
public class mypreparedstatement {
private final string db_driver="com.microsoft.jdbc.sqlserver.sqlserverdriver";
private final string url = "jdbc:microsoft:sqlserver://127.0.0.1:1433;databasename=pubs";
public mypreparedstatement()
{
}
public void query() throws sqlexception{
connection conn = this.getconnection();
string strsql = "select emp_id from employee where emp_id = ?";
preparedstatement pstmt = conn.preparestatement(strsql);
pstmt.setstring(1,"pma42628m");
resultset rs = pstmt.executequery();
while(rs.next()){
string fname = rs.getstring("emp_id");
system.out.println("the fname is " + fname);
}
rs.close();
pstmt.close();
conn.close();
}
private connection getconnection() throws sqlexception{
// class.
connection conn = null;
try {
class.forname(db_driver);
conn = drivermanager.getconnection(url,"sa","sa");
}
catch (classnotfoundexception ex) {}
return conn;
}
//main
public static void main(string[] args) throws sqlexception {
mypreparedstatement jdbctest1 = new mypreparedstatement();
jdbctest1.query();
}
}
PreparedStatement Statement? PreparedStatement Statement?
JDBC , , PreparedStatement Statement. , Statement.
:
. .
PreparedStatement Statement , . Statement :
stmt.executeUpdate("insert into tb_name (col1,col2,col2,col4) values ('"+var1+"','"+var2+"',"+var3+",'"+var4+"')");
perstmt = con.prepareStatement("insert into tb_name (col1,col2,col2,col4) values (?,?,?,?)");
perstmt.setString(1,var1);
perstmt.setString(2,var2);
perstmt.setString(3,var3);
perstmt.setString(4,var4);
perstmt.executeUpdate();
, . , , .
.PreparedStatement .
. . DB , , ( ) . Connection , DB , . . statement , , , . :
insert into tb_name (col1,col2) values ('11','22');
insert into tb_name (col1,col2) values ('11','23');
, , . .
, , . .
. .
, SQL .
String sql = "select * from tb_name where name= '"+varname+"' and passwd='"+varpasswd+"'";
[' or '1' = '1] varpasswd . , ?
select * from tb_name = ' ' and passwd = '' or '1' = '1';
'1'='1' , . :
[';drop table tb_name;] varpasswd , :
select * from tb_name = ' ' and passwd = '';drop table tb_name; , .
. . , . statement, drop,; .
:https://www.cnblogs.com/raymond19840709/archive/2008/05/12/1192948.html https://www.cnblogs.com/gentle-awen/p/10159300.html