|
预处理通道可以有效地防止sql注入,更安全更可靠
下面这个例子附上源码:
Connection connection = null;
PreparedStatement pps = null;
ResultSet resultSet = null;
try {
Class.forName("com.mysql.cj.jdbc.Driver");
String userName = "root";
String passWord = "******";
String url = "jdbc:mysql://localhost:3306/mysqlgaoji?serverTimezone=UTC";
connection = DriverManager.getConnection(url, userName, passWord);
String sql = "select * from employee where name=? and title=?";
pps = connection.prepareStatement(sql);
pps.setString(1,"张三");
pps.setString(2,"程序员");
resultSet = pps.executeQuery();
if (resultSet.next()){
System.out.println("成功");
}else {
System.out.println("失败");
}
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (SQLException throwables) {
throwables.printStackTrace();
} finally {
try {
if (resultSet!=null) {
resultSet.close();
}
if (pps != null) {
pps.close();
}
if (connection != null) {
connection.close();
}
} catch (SQLException throwables) {
throwables.printStackTrace();
}
}
预处理通道的代码在:
String sql = "select * from employee where name=? and title=?";
pps = connection.prepareStatement(sql);
pps.setString(1,"张三");
pps.setString(2,"程序员");
resultSet = pps.executeQuery();
首先需要定义一条sql语句,这里就是用了?(英文符号)作为占位符,然后下面调用setString 语句进行赋值(下标,内容)此处setString可以按情况变为setInt等等,视情况而定。保证了程序运行的安全性。
|