Statement与PreparedStatement

对比

1、Statement存在SQL注入问题，PreparedStatement解决了SQL注入问题；
2、Statement是编译一次执行一次，PreparedStatement是编译一次，可执行N次，PreparedStatement效率较高一些；
3、PreparedStatement会在编译阶段做类型的安全检查。
4、综上所述：Preparedstatement使用较多，只有极少数的情况下需要使用Statement。比如业务方面要求必须支持SQL注入的时候（业务需要进行SQL语句拼接）。

必须使用Statement的例子

用户输入desc或者asc，进行SQL语句拼接，表示降序或升序。

import java.sql.*;
import java.util.ResourceBundle;
import java.util.Scanner;

public class Demo {
    public static void main(String[] args) {
        Scanner in = new Scanner(System.in);
        System.out.println("输入desc或者asc，表示降序或升序");
        System.out.println("请输入：");
        String keyWords = in.nextLine();

        ResourceBundle bundle = ResourceBundle.getBundle("jdbc.info");
        String driver = bundle.getString("driver");
        String url = bundle.getString("url");
        String user = bundle.getString("user");
        String password = bundle.getString("password");

        Connection conn = null;
        Statement stmt = null;
        ResultSet rs = null;
        try{
            Class.forName(driver);
            conn = DriverManager.getConnection(url, user, password);
            stmt = conn.createStatement();
            String sql = "select * from dept order by deptno " + keyWords;
            rs = stmt.executeQuery(sql);
            while (rs.next()){
                String deptno = rs.getString("deptno");
                String dname = rs.getString("dname");
                String loc = rs.getString("loc");
                System.out.println(deptno+"，"+dname+"，"+loc);
            }
        }catch (SQLException | ClassNotFoundException e){
            e.printStackTrace();
        }finally {
            if (rs != null) {
                try {
                    rs.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                }
            }

            if (stmt != null) {
                try {
                    stmt.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                }
            }

            if (conn != null) {
                try {
                    conn.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                }
            }

        }
    }
}

PreparedStatement完成增删改

增

import java.sql.*;
import java.util.ResourceBundle;

public class Demo {
    public static void main(String[] args) {
        ResourceBundle bundle = ResourceBundle.getBundle("jdbc.info");
        String driver = bundle.getString("driver");
        String url = bundle.getString("url");
        String user = bundle.getString("user");
        String password = bundle.getString("password");

        Connection conn = null;
        PreparedStatement pstmt = null;
        try{
            Class.forName(driver);
            conn = DriverManager.getConnection(url, user, password);
            String sql = "insert into dept values(?, ?, ?) ";
            pstmt = conn.prepareStatement(sql);
            pstmt.setInt(1,60);
            pstmt.setString(2,"销售部");
            pstmt.setString(3,"上海");
            int count = pstmt.executeUpdate();
            System.out.println(count);
        }catch (SQLException | ClassNotFoundException e){
            e.printStackTrace();
        }finally {
            if (pstmt != null) {
                try {
                    pstmt.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                }
            }

            if (conn != null) {
                try {
                    conn.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                }
            }

        }
    }
}

改

String sql = "update dept set dname=?, loc=? where deptno=?";
pstmt = conn.prepareStatement(sql);
pstmt.setString(1,"研发部");
pstmt.setString(2,"深圳");
pstmt.setInt(3,60);

删

String sql = "delete from dept where deptno=?";
pstmt = conn.prepareStatement(sql);
pstmt.setInt(1,60);