SQL中Statement和PreparedStatement

原文 :https://blog.csdn.net/weixin_42245375/article/details/102813200

一、常见数据库驱动

 

 

1.比较
(1)Statement操作数据库:
增删改:executeUpdate()
查询:executeQuery();

(2)PreparedStatement操作数据库:
public interface PreparedStatement extends Statement
因此
增删改:executeUpdate()
查询:executeQuery();
–此外
赋值操作 setXxx();

2.推荐PreparedStatement,
(1)编码更加简便(避免了字符串的拼接)
String name = “zs” ;
int age = 23 ;

stmt:
String sql =" insert into student(stuno,stuname) values(’"+name+"’, “+age+” ) " ;
stmt.executeUpdate(sql);

pstmt:
String sql =" insert into student(stuno,stuname) values(?,?) " ;
pstmt = connection.prepareStatement(sql);//预编译SQL
pstmt.setString(1,name);
pstmt.setInt(2,age);

(2)提高性能(因为 有预编译操作,预编译只需要执行一次)
需要重复增加100条数
stmt:
String sql =" insert into student(stuno,stuname) values(’"+name+"’, “+age+” ) " ;
for(100)
stmt.executeUpdate(sql);

pstmt:
String sql =" insert into student(stuno,stuname) values(?,?) " ;
pstmt = connection.prepareStatement(sql);//预编译SQL
pstmt.setString(1,name);
pstmt.setInt(2,age);
for( 100){
pstmt.executeUpdate();
}

(3)安全(可以有效防止sql注入)
sql注入: 将客户输入的内容 和 开发人员的SQL语句 混为一体

stmt:存在被sql注入的风险
(例如输入 用户名:任意值 ’ or 1=1 –
密码:任意值)
分析:
select count() from login where uname=‘任意值 ’ or 1=1 --’ and upwd =‘任意值’ ;
select count() from login where uname='任意值 ’ or 1=1 ;
select count(*) from login ;

select count(*) from login where uname=’"+name+"’ and upwd =’"+pwd+"’

pstmt:有效防止sql注入

3.两种方式代码实现

(1)Statement方式

public class JDBCDemo {
    private static final String URL = "jdbc:oracle:thin:@localhost:1521:ORCL";
    private static final String USERNAME = "scott";
    private static final String PWD = "tiger";

    public static void update() {// 增删改
        Connection connection = null;
        Statement stmt = null;
        try {
            // a.导入驱动,加载具体的驱动类
            Class.forName("oracle.jdbc.OracleDriver");// 加载具体的驱动类
            // b.与数据库建立连接
            connection = DriverManager.getConnection(URL, USERNAME, PWD);
            // c.发送sql,执行(增删改、查)
            stmt = connection.createStatement();
            //String sql = "insert into student values(1,'zs',23,'s1')";
//            String sql = "update student set STUNAME='ls' where stuno=1";
            String sql = "delete from student where stuno=1";
            // 执行SQL
            int count = stmt.executeUpdate(sql); // 返回值表示 增删改 几条数据
            // d.处理结果
            if (count > 0) {  
                System.out.println("操作成功!");
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        } catch (SQLException e) {
            e.printStackTrace();
        } catch(Exception e) {
            e.printStackTrace();
        }
        finally {
            try {
                 if(stmt!=null) stmt.close();// 对象.方法
                 if(connection!=null)connection.close();
            }catch(SQLException e) {
                e.printStackTrace();
            }
        }
    }

(2)PreparedStatement方式

public class JDBCPreparedStatementDemo {
    private static final String URL = "jdbc:oracle:thin:@localhost:1521:ORCL";
    private static final String USERNAME = "scott";
    private static final String PWD = "tiger";

    public static void update() {// 增删改
        Connection connection = null;
        PreparedStatement  pstmt = null;
        try {
            // a.导入驱动,加载具体的驱动类
            Class.forName("oracle.jdbc.OracleDriver");// 加载具体的驱动类
            // b.与数据库建立连接
            connection = DriverManager.getConnection(URL, USERNAME, PWD);
            
            /* Statement
            // c.发送sql,执行(增删改、查)
            stmt = connection.createStatement();
            //String sql = "insert into student values(1,'zs',23,'s1')";
//            String sql = "update student set STUNAME='ls' where stuno=1";
            String sql = "delete from student where stuno=1";
            // 执行SQL
            int count = stmt.executeUpdate(sql); // 返回值表示 增删改 几条数据
            */
            //PreparedStatement
            String sql = "insert into student values(?,?,?,?)";
            pstmt = connection.prepareStatement(sql);//预编译
            pstmt.setInt(1, 36);
            pstmt.setString(2, "zhangsan");
            pstmt.setInt(3, 56);
            pstmt.setString(4, "s3");
            
            int count =pstmt.executeUpdate() ;
            
            // d.处理结果
            if (count > 0) {  
                System.out.println("操作成功!");
            }
        } catch (ClassNotFoundException e) {
            e.printStackTrace();
        } catch (SQLException e) {
            e.printStackTrace();
        } catch(Exception e) {
            e.printStackTrace();
        }
        finally {
            try {
                 if(pstmt!=null) pstmt.close();// 对象.方法
                 if(connection!=null)connection.close();
            }catch(SQLException e) {
                e.printStackTrace();
            }
        }
    }
    
    
    public static void query() {
        Connection connection = null;
        PreparedStatement pstmt = null;
        ResultSet rs = null ; 
        try {
            // a.导入驱动,加载具体的驱动类
            Class.forName("oracle.jdbc.OracleDriver");// 加载具体的驱动类
            // b.与数据库建立连接
            connection = DriverManager.getConnection(URL, USERNAME, PWD);
            // c.发送sql,执行(增删改、【查】)
            Scanner input= new Scanner(System.in);
            System.out.println("请输入用户名:");
            String name = input.nextLine() ;
            System.out.println("请输入密码:");
            String pwd = input.nextLine() ;
        
//            String sql = "select * from student where stuname like '%"+name+"%'";
//            String sql = "select * from student where stuname like ?";
            String sql ="select count(*) from login where uname= ? and upwd =?"; 
            pstmt = connection.prepareStatement(sql) ;
            pstmt.setString(1, name);
            pstmt.setString(2, pwd);
            
//            String sql = "select stuno,stuname from student";
                    // 执行SQL(增删改executeUpdate(),查询executeQuery())
            rs = pstmt.executeQuery(); // 返回值表示 增删改 几条数据
            // d.处理结果
//            while(rs.next()) {
//                int sno = rs.getInt( "stuno") ;
//                String sname = rs.getString("stuname") ;
                int sno = rs.getInt(1) ; //下标:从1开始计数
                String sname = rs.getString(2) ;
//                System.out.println(sno+"--"+sname);
//            }
            int count = -1;
            if(rs.next()) {
                count = rs.getInt(1) ;
            }
            if(count>0) {
                System.out.println("登陆成功!");
            }else {
                System.out.println("登陆失败!");
            }

        } catch (ClassNotFoundException e) {
            System.out.println("111");
            e.printStackTrace();
        } catch (SQLException e) {
            e.printStackTrace();
        } catch(Exception e) {
            e.printStackTrace();
        }
        finally {
            try {
                if(rs!=null) rs.close(); 
                 if(pstmt!=null) pstmt.close();// 对象.方法
                 if(connection!=null)connection.close();
            }catch(SQLException e) {
                e.printStackTrace();
            }catch(Exception e) {
                e.printStackTrace();
            }
        }
    }

 

posted @ 2021-07-03 08:31  清语堂  阅读(563)  评论(0编辑  收藏  举报