-
API详解: 获得语句执行
String sql = "Insert into category(cid, cname) values('c007', '分类')";
Statement 语句执行者代码: Statement stmt = con.createStatement();
常用方法:
-
执行SQL语句
-
int executeUpdate(String sql): ——执行insert, update delete 语句.(DML语句)
-
ResultSet executeQuery(String sql);——执行select语句. (DQL语句)
-
boolean execute(String sql);——执行select返回true执行其他的语句返回false
-
返回true, 需要使用getResultSet()获得查询结果
-
返回false, 需要使用getUpdateCount() 获得影响行数
-
-
-
执行批处理:
-
addBatch(String sql);
-
clearBatch();
-
executeBatch();
-
-
API详解: 处理结果集
rs.next(); //光标移动到下一个行 rs.getInt(1); //获取第几列
-
API详解: 释放资源
rs.close();
rtmt.close();
con.close();
-
登录实例
package cn.Douzi.test; import java.sql.Connection; import java.sql.DriverManager; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; import org.junit.Test; public class TestLogin { /** * 用户登录方法 * @param username * @param password * @throws ClassNotFoundException * @throws SQLException */ public void login(String username, String password) throws ClassNotFoundException, SQLException { //1.注册驱动 Class.forName("com.mysql.jdbc.Driver"); //2. 获取连接 Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/books", "root", "sky"); //3.创建执行sql语句对象 Statement stmt = conn.createStatement(); //4.书写一个sql语句 String sql = "select * from user where "+"username='"+username+"' and password='"+password+"'"; //5.执行sql语句 ResultSet rs = stmt.executeQuery(sql); //6.对结果集进行处理 if (rs.next()) { System.out.println("恭喜你," + username + ", 登录成功!"); } else { System.out.println("账号或密码错误"); } if (rs != null) rs.close(); if (stmt != null) stmt.close(); if (conn != null) conn.close(); } @Test public void testLogin() { try { login("Douzi", "30"); } catch (ClassNotFoundException | SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } } }
SQL注入问题
下面这个也可以执行成功
因为执行的时候,sql语句是拼接进去的
@Test
public void testLogin() {
try {
login("douzi' or 'jdouzi", "s0");
} catch (ClassNotFoundException | SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
-
防止SQL攻击
过滤用户输入的数据中释放包含非法字符;
分步校验! 先使用用户名来查询用户, 如果找到了,再比较密码;
使用 PreparedStatement
-
PreparedStatement
叫做 预处理声明
PreparedStatement是Statement的子接口
防止SQL攻击
提高代码的可读性,以可维护性;
提高效率
-
PreparedStatement的使用(解决Sql注入问题)
public void login1(String username, String password) throws ClassNotFoundException, SQLException
{
//1.注册驱动
Class.forName("com.mysql.jdbc.Driver");
//2.获取连接
Connection conn = DriverManager.getConnection("jdbc:mysql://localhost:3306/books", "root", "s0");
//3.编写sql语句
String sql = "select * from user where username=? and password=?";
//4.创建预处理对象
PreparedStatement pstmt = conn.prepareStatement(sql);
//5.设置参数(给占位符)
pstmt.setString(1, username);
pstmt.setString(2, password);
//6.执行查询
ResultSet rs = pstmt.executeQuery();
//6.对结果集进行处理
if (rs.next()) {
System.out.println("恭喜你," + username + ", 登录成功!");
}
else {
System.out.println("账号或密码错误");
}
if (rs != null) rs.close();
if (pstmt != null) pstmt.close();
if (conn != null) conn.close();
}
下面语句则不能通过
@Test public void testLogin() { try { login1("douzi' or 'jdouzi", "sky"); } catch (ClassNotFoundException | SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } }