PreparedStatement

 

Statement 需要进行字符串拼接,可读性和维护性比较差 
String sql = "insert into hero values(null,"+"'提莫'"+","+313.0f+","+50+")";
 
PreparedStatement 使用参数设置,可读性好,不易犯错
String sql = "insert into hero values(null,?,?,?)";
PreparedStatement ps = c.prepareStatement(sql);
            ps.setString(1"提莫");
            ps.setFloat(2313.0f);
            ps.setInt(350);
            ps.execute();

 

PreparedStatement有预编译机制,性能比Statement更快

PreparedStatement可以防止SQL注入式攻击

 

 

posted @ 2018-04-08 23:29  lspa  阅读(408)  评论(0编辑  收藏  举报