PreparedStatement
Statement 需要进行字符串拼接,可读性和维护性比较差
PreparedStatement 使用参数设置,可读性好,不易犯错
String sql = "insert into hero values(null,"+"'提莫'"+","+313.0f+","+50+")";
String sql = "insert into hero values(null,?,?,?)";
PreparedStatement ps = c.prepareStatement(sql);
ps.setString(
1
,
"提莫"
);
ps.setFloat(
2
,
313
.0f);
ps.setInt(
3
,
50
);
ps.execute();
PreparedStatement有预编译机制,性能比Statement更快
PreparedStatement可以防止SQL注入式攻击