Statement how to use
Statement Statement = Connection.createstatement (); String queryString = "Select Username,password from user_table where username= '" + username + "' and password= '" + PA ssWOrd + "'"; ResultSet ResultSet = Statement.executequery (queryString);
Statement is a non-precompiled statement, each execution will go to the database to generate a statement execution.
If the password variable is assigned a value of ' or ' 1 ' = ' 1 ' then the entire statement is
Select Username,password from user_table where username= ' Zhagnsan ' and password= ' or ' 1 ' = ' 1 '
Statement will pass this string to the database for execution, and this string is injected, so any information entered will be successful.
Preparestatement How to use
String queryString = "Select Username,password from user_table where username =?" + "and password =?"; PreparedStatement = Connection.preparestatement (queryString); Preparedstatement.setstring (1, username); Preparedstatement.setstring (2, password); ResultSet = Preparedstatement.executequery ();
Connection.preparestatement (queryString); The statement is passed to the database to generate the precompiled statement.
Then username, the value of password becomes a parameter of two question marks. The value of input or ' 1 ' = ' 1 ' is only used as the second parameter value, and the precompiled statement in the database does not treat or as a select relationship keyword, but only as a parameter string, passing in the precompiled statement, so that the precompiled statement can prevent injection.
And the precompiled statement does not have to be executed every time to generate an execution statement, but can be generated once and then multiple calls to use, and statement is the concatenation of string string to the database generation statement execution.
Precompiled preparestatement is statement more efficient.
Understanding of statement and Preparestatement in Java