1.statement Inconvenient to use
Problems with 2.sql injection
* Use the system's own keyword OR and in the SQL statement to invalidate the Where condition
*
Preparestatement:
* 1.sql statements are not used in the spelling string
* 2. Prevent SQL injection problems
1 Public classCurdtest {2 Public Static voidMain (string[] args)throwsException {3 //inserttest ();4 //deletetest ();5 //updatetest ();6 //selecttest ();7 deleteTest2 ();8 }9 //Delete Method 2: Get precompiled Statement ObjectTen //PreparedStatement One //prevent SQL injection problems A Private Static voidDeleteTest2 ()throwsException { - //Registration Driver -Class.forName ("Com.mysql.jdbc.Driver"); the //Create a connection -Connection conn = drivermanager.getconnection ("Jdbc:mysql://localhost/day01", "root", "root"); - //Create a statement object -String sql = "Delete from Stu where id =?" or name =? "; +PreparedStatement PST =conn.preparestatement (SQL); -Pst.setint (1,7);//(1th one?) , the content of id=6) +Pst.setstring (2, "Baby");//(2nd one?) ,? The contents of name = "Baby") A // at inti =pst.executeupdate (); - if(i!=0) { -System.out.println ("Delete succeeded"); - } - pst.close (); - conn.close (); in } - to //Delete + Private Static voidDeletetest ()throwsException { - //TODO auto-generated Method Stub the //Registration Driver *Class.forName ("Com.mysql.jdbc.Driver"); $ //Create a connectionPanax NotoginsengConnection conn = drivermanager.getconnection ("Jdbc:mysql://localhost/day01", "root", "root"); - //Create a statement object theStatement st =conn.createstatement (); + //problems with SQL injection A //use the system's own keyword OR and in the SQL statement to invalidate the Where condition the //String sql = "Delete from Stu where id= 1 or 1=1";//SQL injection problem, the contents of the entire table will be deleted +String sql = "Delete from Stu where id= 1"; - inti =st.executeupdate (SQL); $ if(i!=0) { $System.out.println ("Delete succeeded"); - } - st.close (); the conn.close (); - }Wuyi}
PreparedStatement object that represents a precompiled SQL statement, preventing SQL injection
JDBC deletes data in two ways, PreparedStatement objects that represent precompiled SQL statements, and prevents SQL injection