package cn.sasa.demo2; import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; import java.util.Scanner; public class JDBCDemo2 { public static void main(String[] args) throws ClassNotFoundException, SQLException { /** * 防止注入攻击 /参数化查询 * Statement 接口 有个子接口 PreparedStatement --sql预编译 * */ String name = ""; String pwd = ""; Scanner sc = new Scanner(System.in); System.out.println("用户名"); name = sc.nextLine(); System.out.println("密码"); pwd = sc.nextLine(); Class.forName("com.mysql.jdbc.Driver"); Connection conn = DriverManager.getConnection("jdbc:mysql://192.168.0.207:3306/mydb", "root", "XXXXXXXX1"); //String sql = " SELECT * FROM `user` WHERE name='"+ name +"' and pwd='"+ pwd +"' "; //Statement state = conn.createStatement(); //ResultSet rsSet = state.executeQuery(sql); String sql = " SELECT * FROM `user` WHERE name=? and pwd=? "; PreparedStatement pstate = conn.prepareStatement(sql); pstate.setObject(1, name); pstate.setObject(2, pwd); ResultSet rsSet = pstate.executeQuery(); while(rsSet.next()) { System.out.println(rsSet.getString("name")); } rsSet.close(); //state.close(); pstate.cancel(); conn.close(); } }