Statement與PreparedStatement
阿新 • • 發佈:2020-08-03
對比
1、Statement存在SQL注入問題,PreparedStatement解決了SQL注入問題;
2、Statement是編譯一次執行一次,PreparedStatement是編譯一次,可執行N次,PreparedStatement效率較高一些;
3、PreparedStatement會在編譯階段做型別的安全檢查。
4、綜上所述:Preparedstatement使用較多,只有極少數的情況下需要使用Statement。比如業務方面要求必須支援SQL注入的時候(業務需要進行SQL語句拼接)。
必須使用Statement的例子
使用者輸入desc或者asc,進行SQL語句拼接,表示降序或升序。
import java.sql.*; import java.util.ResourceBundle; import java.util.Scanner; public class Demo { public static void main(String[] args) { Scanner in = new Scanner(System.in); System.out.println("輸入desc或者asc,表示降序或升序"); System.out.println("請輸入:"); String keyWords = in.nextLine(); ResourceBundle bundle = ResourceBundle.getBundle("jdbc.info"); String driver = bundle.getString("driver"); String url = bundle.getString("url"); String user = bundle.getString("user"); String password = bundle.getString("password"); Connection conn = null; Statement stmt = null; ResultSet rs = null; try{ Class.forName(driver); conn = DriverManager.getConnection(url, user, password); stmt = conn.createStatement(); String sql = "select * from dept order by deptno " + keyWords; rs = stmt.executeQuery(sql); while (rs.next()){ String deptno = rs.getString("deptno"); String dname = rs.getString("dname"); String loc = rs.getString("loc"); System.out.println(deptno+","+dname+","+loc); } }catch (SQLException | ClassNotFoundException e){ e.printStackTrace(); }finally { if (rs != null) { try { rs.close(); } catch (SQLException e) { e.printStackTrace(); } } if (stmt != null) { try { stmt.close(); } catch (SQLException e) { e.printStackTrace(); } } if (conn != null) { try { conn.close(); } catch (SQLException e) { e.printStackTrace(); } } } } }
PreparedStatement完成增刪改
增
import java.sql.*; import java.util.ResourceBundle; public class Demo { public static void main(String[] args) { ResourceBundle bundle = ResourceBundle.getBundle("jdbc.info"); String driver = bundle.getString("driver"); String url = bundle.getString("url"); String user = bundle.getString("user"); String password = bundle.getString("password"); Connection conn = null; PreparedStatement pstmt = null; try{ Class.forName(driver); conn = DriverManager.getConnection(url, user, password); String sql = "insert into dept values(?, ?, ?) "; pstmt = conn.prepareStatement(sql); pstmt.setInt(1,60); pstmt.setString(2,"銷售部"); pstmt.setString(3,"上海"); int count = pstmt.executeUpdate(); System.out.println(count); }catch (SQLException | ClassNotFoundException e){ e.printStackTrace(); }finally { if (pstmt != null) { try { pstmt.close(); } catch (SQLException e) { e.printStackTrace(); } } if (conn != null) { try { conn.close(); } catch (SQLException e) { e.printStackTrace(); } } } } }
改
String sql = "update dept set dname=?, loc=? where deptno=?";
pstmt = conn.prepareStatement(sql);
pstmt.setString(1,"研發部");
pstmt.setString(2,"深圳");
pstmt.setInt(3,60);
刪
String sql = "delete from dept where deptno=?";
pstmt = conn.prepareStatement(sql);
pstmt.setInt(1,60);