一PrepareStatement使用
主要特点:防止sql注入、提升效率
当前数据库:
代码:
package jdbc;
import org.junit.Test;
import java.sql.*;
/**
* Created by kevin on 2020/3/23.
*/
public class Demo3 {
public boolean login(String name,String password){
/**
* 一、Connection
* 二、Statement
* 三、ResultSet
*/
Connection connection = null;
Statement statement = null;
ResultSet resultSet = null;
try {
String driverClassName = "com.mysql.cj.jdbc.Driver";
String url = "jdbc:mysql://localhost:3306/test?useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC";
String mysqlUserName="root";
String mysqlPassword="mysql";
Class.forName(driverClassName);
connection = DriverManager.getConnection(url,mysqlUserName,mysqlPassword);
statement = connection.createStatement();
String sql = "select * from stu WHERE name = '"+name+"'and password = '"+password+"'";
resultSet = statement.executeQuery(sql);
return resultSet.next();
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
if(resultSet!=null){
resultSet.close();
}
if(statement!=null){
statement.close();
}
if(connection!=null){
connection.close();
}
} catch (SQLException e) {
e.printStackTrace();
}
}
return false;
}
@Test
public void fun1(){
String userName= "张三";
String password="111111";
String userName2= "错名' or 'a'='a";
String password2="错密码' or 'a'='a";
//正常输入
System.out.println(login(userName,password));
//sql注入越过正常逻辑判断
System.out.println(login(userName2,password2));
}
}
输出
通过PrepareStatement方式新建login2方法
public boolean login2(String name,String password){
/**
* 一、Connection
* 二、Statement
* 三、ResultSet
*/
Connection connection = null;
PreparedStatement preparedStatement = null;
ResultSet resultSet = null;
try {
String driverClassName = "com.mysql.cj.jdbc.Driver";
String url = "jdbc:mysql://localhost:3306/test?useUnicode=true&characterEncoding=UTF-8&serverTimezone=UTC";
String mysqlUserName="root";
String mysqlPassword="mysql";
Class.forName(driverClassName);
connection = DriverManager.getConnection(url,mysqlUserName,mysqlPassword);
// statement = connection.createStatement();
// String sql = "select * from stu WHERE name = '"+name+"'and password = '"+password+"'";
// resultSet = statement.executeQuery(sql);
/**
* PrepareStatement 方式
* 1.给出sql模板:所有的参数使用?来替代
* 2.调用Connection方法得到PrepareStatement
*/
String sql = "select * from stu WHERE name = ? and password = ? ";
preparedStatement = connection.prepareStatement(sql);
preparedStatement.setString(1,name);
preparedStatement.setString(2,password);
resultSet = preparedStatement.executeQuery();
return resultSet.next();
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
if(resultSet!=null){
resultSet.close();
}
if(preparedStatement!=null){
preparedStatement.close();
}
if(connection!=null){
connection.close();
}
} catch (SQLException e) {
e.printStackTrace();
}
}
return false;
}
@Test
public void fun1(){
String userName= "张三";
String password="111111";
String userName2= "错名' or 'a'='a";
String password2="错密码' or 'a'='a";
//正常输入
System.out.println(login2(userName,password));
//sql注入越过正常逻辑判断
System.out.println(login2(userName2,password2));
}
fun1()方法login替换为login2输出结果:
二预处理原理
·前提:连接点数据库必须支持预处理,基本数据库都支持
·每个preparedStatement都与一个sql模板绑定在一起,先把sql模板给数据库,数据库先进行校验,在进行编译,执行时只是把参数传递过去
·若第二次执行,不需再次校验语法,不用再次编译,直接执行
mysql打开预编译功能
useServerPrepStmts=true(是否使用预编译)
cachePrepStmts=true(设置是否对预编译使用local cache)
prepStmtCacheSize=256(指定了local cache的大小)