对比
1、Statement存在SQL注入问题,PreparedStatement解决了SQL注入问题;
2、Statement是编译一次执行一次,PreparedStatement是编译一次,可执行N次,PreparedStatement效率较高一些;
3、PreparedStatement会在编译阶段做类型的安全检查。
4、综上所述:Preparedstatement使用较多,只有极少数的情况下需要使用Statement。比如业务方面要求必须支持SQL注入的时候(业务需要进行SQL语句拼接)。
必须使用Statement的例子
用户输入desc或者asc,进行SQL语句拼接,表示降序或升序。(例如京东淘宝点击按价格升降序)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
| import java.sql.*;
import java.util.ResourceBundle;
import java.util.Scanner;
public class Demo {
public static void main(String[] args) {
Scanner in = new Scanner(System.in);
System.out.println("输入desc或者asc,表示降序或升序");
System.out.println("请输入:");
String keyWords = in.nextLine();
ResourceBundle bundle = ResourceBundle.getBundle("jdbc.info");
String driver = bundle.getString("driver");
String url = bundle.getString("url");
String user = bundle.getString("user");
String password = bundle.getString("password");
Connection conn = null;
Statement stmt = null;
ResultSet rs = null;
try{
Class.forName(driver);
conn = DriverManager.getConnection(url, user, password);
stmt = conn.createStatement();
String sql = "select * from dept order by deptno " + keyWords;
rs = stmt.executeQuery(sql);
while (rs.next()){
String deptno = rs.getString("deptno");
String dname = rs.getString("dname");
String loc = rs.getString("loc");
System.out.println(deptno+","+dname+","+loc);
}
}catch (SQLException | ClassNotFoundException e){
e.printStackTrace();
}finally {
if (rs != null) {
try {
rs.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if (stmt != null) {
try {
stmt.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if (conn != null) {
try {
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
}
}
|
PreparedStatement完成增删改
1.增
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
| import java.sql.*;
import java.util.ResourceBundle;
public class Demo {
public static void main(String[] args) {
ResourceBundle bundle = ResourceBundle.getBundle("jdbc.info");
String driver = bundle.getString("driver");
String url = bundle.getString("url");
String user = bundle.getString("user");
String password = bundle.getString("password");
Connection conn = null;
PreparedStatement pstmt = null;
try{
Class.forName(driver);
conn = DriverManager.getConnection(url, user, password);
String sql = "insert into dept values(?, ?, ?) ";
pstmt = conn.prepareStatement(sql);
pstmt.setInt(1,60);
pstmt.setString(2,"销售部");
pstmt.setString(3,"上海");
int count = pstmt.executeUpdate();
System.out.println(count);
}catch (SQLException | ClassNotFoundException e){
e.printStackTrace();
}finally {
if (pstmt != null) {
try {
pstmt.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
if (conn != null) {
try {
conn.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
}
}
}
|
2.删
1
2
3
| String sql = "delete from dept where deptno=?";
pstmt = conn.prepareStatement(sql);
pstmt.setInt(1,60);
|
3.改
1
2
3
4
5
| String sql = "update dept set dname=?, loc=? where deptno=?";
pstmt = conn.prepareStatement(sql);
pstmt.setString(1,"研发部");
pstmt.setString(2,"深圳");
pstmt.setInt(3,60);
|
