代码:
import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; public class Test02 { public static void main(String argsv[]){ try { Class.forName("org.postgresql.Driver").newInstance(); String url = "jdbc:postgresql://localhost:5432/postgres" ; Connection con = DriverManager.getConnection(url,"postgres","postgres" ); ///Phase 1:-------------Select data from table----------------------- System.out.println("Phase 1------------------------start"); String strsql = " select * from customers01 where cust_id = ?"; PreparedStatement pst=con.prepareStatement(strsql); pst.setString(1,"3"); //find the customer with cust_id of 3. ResultSet rs = pst.executeQuery(); while (rs.next()) { System.out.print("cust_id:"+rs.getInt( "cust_id")); System.out.println("...cust_name:"+rs.getString( "cust_name" )); } System.out.println("Phase 1------------------------end "); rs.close(); pst.close(); con.close(); } catch (Exception ee) { System.out.print(ee.getMessage()); } } }
如果我把 pst.setString(1,"3"); //find the customer with cust_id of 3. 改成:
pst.setString(1,"3 or 1 = 1"); 只是执行是无法得到结果而已,并未抓出所有记录。
prepared statement 还是相对的安全,它摒弃了sql语句的拼接。