PrepareStationの強み
PreparestatementはSttementに対してメリットがあります。SQL注入のセキュリティホール・Sttementはデータベースが頻繁にSQLをコンパイルするので、データベースバッファのオーバーフロー・データベースと関連ドライバがPrepareSttementを最適化することができます。
JdbcUtils工具類:
テストコード:
JdbcUtils工具類:
/**
* mysql , SingleTon
*/
package mysql.base;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
/**
*
* 2009-9-24
*
* @author
*
*/
public final class JdbcUtils {
private static String url = "jdbc:mysql://localhost:3306/test";
private static String username = "root";
private static String password = "xiaochun";
private static JdbcUtils instance = null;
private JdbcUtils() {
};
public static JdbcUtils getInstance() {
if (instance == null) {
synchronized (JdbcUtils.class) {
if (instance == null)
instance = new JdbcUtils();
}
}
return instance;
}
//
static {
// ,
try {
Class.forName("com.mysql.jdbc.Driver");
} catch (ClassNotFoundException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
/**
*
*
* @return Connection
* @exception SQLException
*/
public Connection getConnection() throws SQLException {
return DriverManager.getConnection(url, username, password);
}
/**
*
*
* @param ResultSet
* rs
* @param Statement
* st
* @param Connection
* conn
*/
public void free(ResultSet rs, Statement st, Connection conn) {
try {
if (rs != null)
rs.close();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} finally {
try {
if (st != null)
st.close();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} finally {
try {
if (conn != null)
conn.close();
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
}
}
テストコード:
/**
* SQL , , PreparedStatement Statement
*/
package mysql.base;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
/**
*
* 2009-9-24
*
* @author
*
*/
public class SQLInject {
/**
* @param args
* @throws SQLException
*/
public static void main(String[] args) throws SQLException {
// TODO Auto-generated method stub
read("xiali"); // SQL inject
read1("xiali");
}
/**
* , PrepareStatement sql
*
* @param name
* @throws SQLException
*/
public static void read(String name) throws SQLException {
// SQL inject
String sqlStr = "select id,name,birthday,money from user where name=?";
// System.out.println(sqlStr);
Connection conn = null;
PreparedStatement ps = null;
ResultSet rs = null;
try {
// ,
// Class.forName("com.mysql.jdbc.Driver");
//
conn = JdbcUtils.getInstance().getConnection();
//long start =System.currentTimeMillis();
//
ps = conn.prepareStatement(sqlStr);
//
ps.setString(1, name);
//
rs = ps.executeQuery();
//
while (rs.next()) {
System.out.println(rs.getObject("id") + "\t" + rs.getObject("name") + "\t"
+ rs.getObject("birthday") + "\t" + rs.getObject("money"));
}
//long end=System.currentTimeMillis();
//System.out.println("Statement:read() "+(end-start)+"ms");
} finally {
JdbcUtils.getInstance().free(rs, ps, conn);
}
}
/**
* SQL
*
* @param name
* @throws SQLException
*/
public static void read1(String name) throws SQLException {
// SQL inject
String sqlStr = "select id,name,birthday,money from user where name='" + name + "'";
// System.out.println(sqlStr);
Connection conn = null;
Statement st = null;
ResultSet rs = null;
try {
// ,
// Class.forName("com.mysql.jdbc.Driver");
//
conn = JdbcUtils.getInstance().getConnection();
//long start =System.currentTimeMillis();
//
st = conn.createStatement();
//
rs = st.executeQuery(sqlStr);
//
while (rs.next()) {
System.out.println(rs.getObject("id") + "\t" + rs.getObject("name") + "\t"
+ rs.getObject("birthday") + "\t" + rs.getObject("money"));
}
//long end=System.currentTimeMillis();
//System.out.println("Statement:read() "+(end-start)+"ms");
} finally {
JdbcUtils.getInstance().free(rs, st, conn);
}
}
}