上一篇博客讲到statement容易被sql注入…preparedstatment会对sql语句进行预处理,相对而言比较安全….
下面我用preparedstatement进行简单的增删查改操作的源代码….
public class JDBCTest2 {
//数据库驱动
private static String JDBC_DRIVER= "com.mysql.jdbc.Driver";
//数据库用户名
private static String MYSQL_USERNAME= "root";
//数据库密码
private static String MYSQL_PASSWORD= "scott";
//数据库连接地址
private static String MYSQL_URL= "jdbc:mysql://localhost:3306/test?characterEncoding=utf8&useSSL=true";
//预先定义一个数据库连接器,在后面的静态代码块进行赋值
private static Connection conn = null;
//预先定义一个Java与数据库的会话,在具体的方法中进行赋值
private static PreparedStatement ps = null;
//静态代码块,当类被抛进虚拟机的时候会优先执行静态代码块,并且只会执行一次...
//在这里我用来加载驱动和给conn和sm赋值
static{
try {
//加载驱动,是将com.mysql.jdbc.Driver抛进java虚拟机,生成字节码...
Class.forName(jdbc_driver);
conn = DriverManager.getConnection(mysql_URL,mysql_username,mysql_password);
} catch (Exception e) {
e.printStackTrace();
}
}
public void add(User user){
try {
//用preparedstatement时,就不用通过字符串拼接的方式生成sql语句了,下面的sql语句中,?是一个占位符
//就是,我不知道你是什么,但是我知道你是存在的..先把空间站住,在后面进行具体的赋值....
String sql = "INSERT INTO USER(ID,USERNAME,PASSWORD) VALU(?,?,?)";
//sql语句写好之后,就可以抛进conn.preparedStatement()之中
ps = conn.prepareStatement(sql);
//下面是对在sql语句中定义的?进行赋值.....
//注意,preparedstatement参数的索引是从1开始的,这跟我们的数组的索引是不一样的哦....
ps.setInt(1, user.getId());
ps.setString(2,user.getUsername());
ps.setString(3,user.getPassword());
ps.execute();
} catch (SQLException e) {
e.printStackTrace();
}
}
public void delete(int id){
try {
String sql = "DELETE FROM USER WHERE ID = ?";
ps = conn.prepareStatement(sql);
ps.setInt(1, id);
ps.execute();
} catch (SQLException e) {
e.printStackTrace();
}
}
public void select(){
try {
String sql = "SELECT * FROM USER";
ps = conn.prepareStatement(sql);
ResultSet rs = ps.executeQuery();
while(rs.next()){
int id = rs.getInt("ID");
String username = rs.getString("USERNAME");
String password = rs.getString("PASSWORD");
User u = new User(id,username,password);
System.out.println(u);
}
} catch (SQLException e) {
e.printStackTrace();
}
}
public void update(User user){
try {
String sql = "UPDATE USER SET USERNAME = ? ,PASSWORD = ? WHERE ID = ?";
ps = conn.prepareStatement(sql);
ps.setString(1, user.getUsername());
ps.setString(2, user.getPassword() );
ps.setInt(3, user.getId());
ps.execute();
} catch (Exception e) {
e.printStackTrace();
}
}
}
User的代码如下:
package Pojo;
public class User {
private Integer id;
private String username;
private String password;
public Integer getId() {
return id;
}
public void setId(Integer id) {
this.id = id;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public User(Integer id, String username, String password) {
this.id = id;
this.username = username;
this.password = password;
}
public User() {
}
@Override
public String toString() {
return "User [id=" + id + ", username=" + username + ", password=" + password + "]\n";
}
}
下面对User进行增删查改….
对增加的测试:
public static void main(String[] args) {
JDBCTest2 jt = new JDBCTest2();
System.out.println("-------增加前------");
jt.select();
User u = new User(5,"小明","22222");
jt.add(u);
System.out.println("-------增加后------");
jt.select();
}
测试结果:
对删除的测试:
public static void main(String[] args) {
JDBCTest2 jt = new JDBCTest2();
System.out.println("-------删除前------");
jt.select();
jt.delete(5);
System.out.println("-------删除后------");
jt.select();
}
测试结果:
对修改的测试..
public static void main(String[] args) {
JDBCTest2 jt = new JDBCTest2();
System.out.println("-------更新前------");
User u = new User(3,"UZI","22222");
jt.select();
jt.update(u);
System.out.println("-------更新后------");
jt.select();
}
测试结果: