In java EE learning, the simple use and introduction of PreparedStatement (small record in java learning) and preparedstatement
Simple use and introduction of PreparedStatement in java Learning (small record in java learning)Author: Star)
PreparedStatement
It is a subclass and branch of Statement. PreparedStatement inherits from Statement
Database status
Account: liubei
Password 123
First, let's look at the problem of code Demonstration:
1 package TwoDay; 2 3 import java. SQL. connection; 4 import java. SQL. driverManager; 5 import java. SQL. resultSet; 6 import java. SQL. statement; 7 import java. util. optional; 8 9 public class StarOne {10 public static void main (String [] args) {11 Connection conn = null; 12 Statement stmt = null; 13 ResultSet rs = null; 14 15 // enter the user name and password 16 according to the console prompt input = new Login (System. in); 17 18 System. out. println ("\ T pet master login"); 19 System. out. println ("Enter the User name:"); 20 String name = input. next (); 21 System. out. println ("Enter password:"); 22 String password = input. next (); 23 24 try {25 Class. forName ("com. mysql. jdbc. driver "); 26 conn = DriverManager. getConnection ("jdbc: mysql: // localhost: 3306/starstudy", "root", "123456"); 27 stmt = conn. createStatement (); 28 String SQL = "SELECT * FROM 'master' WHERE 'name' = '" + name + "' AND 'Password' = '"+ Password +"' "; // when the parameter is added: '" + variable + "'29 System. out. println (SQL); 30 // when a problem is found, inject the entered password into this SQL statement. For example, the password I entered is: 123 'or '1' = '1' 31 // The SQL statement becomes: SELECT * FROM 'master' WHERE 'name' = 'liubei' AND 'Password' = '000000' or '1' = '1' 32 // This phenomenon is called Statment. poor security, SQL Injection risks exist (the reason is that he uses assembled statements) 33 34 rs = stmt.exe cuteQuery (SQL); 35 if (rs. next () {36 System. out. println ("Login successful! "); 37} else {38 System. out. println (" Logon Failed! "); 39} 40 41} catch (Exception e) {42 // TODO: handle exception43} finally {44 try {45 if (null! = Rs) {46 rs. close (); 47} 48 if (null! = Stmt) {49 stmt. close (); 50} 51 if (null! = Conn) {52 conn. close (); 53} 54} catch (Exception e2) {55 // TODO: handle exception56} 57} 58} 59}
Error summary:
For example, if the password I entered is 123 'or '1' = '1', it injects the entered password into this SQL statement.
The SQL statement becomes: SELECT * FROM 'master' WHERE 'name' = 'libei' AND 'Password' = '20160301' or '1' = '1'
If the program runs successfully, '1' = '1' must be set by default.
This phenomenon is called Statment, which has poor security and has potential SQL Injection risks (the reason is that it uses assembled statements)
So we have PreparedStatement to solve this problem:
Example of using PreparedStatement:
The code is used as follows:
1 package TwoDay; 2 3 import java. SQL. connection; 4 import java. SQL. driverManager; 5 import java. SQL. preparedStatement; 6 7 public class StarTwo {8 public static void main (String [] args) {9 Connection conn = null; 10 PreparedStatement pstmt = null; 11 12 String SQL = "UPDATE pet SET health = ?, Love =? WHERE id =? "; // Do not know the placeholder question mark? 13 14 try {15 Class. forName ("com. mysql. jdbc. driver "); 16 conn = DriverManager. getConnection ("jdbc: mysql: // localhost: 3306/starstudy", "root", "123456"); 17 pstmt = conn. prepareStatement (SQL); // execute the SQL statement, pre-compile 18 19 pstmt. setInt (); // here the question mark is the index (the first parameter) 20 pstmt. setInt (2, 88); 21 pstmt. setInt (3, 2); 22 23 pstmt.exe cuteUpdate (); // method modified 24 25} catch (Exception e) {26 27} finally {28 try {29 if (null! = Pstmt) {30 pstmt. close (); 31} 32 if (null! = Conn) {33 conn. close (); 34} 35} catch (Exception e2) {36} 37} 38} 39}