版权声明:[email protected] https://blog.csdn.net/zhaoxuyang1997/article/details/82711068
两段代码
使用 Statement
,劣
private List<User> select(String sql) throws SQLException{
if(connection.isClosed()){
connection = getConn();
}
List<User> list;
try (Statement st = connection.createStatement()) {
list = new ArrayList<>();
try (ResultSet rs = st.executeQuery(sql)) {
while(rs.next()){
int id = rs.getInt("id");
String name = rs.getString("name");
String regdate = rs.getString("regdate");
String password = rs.getString("password");
String email = rs.getString("email");
User t=new User();
t.setId(id);
t.setName(name);
t.setRegdate(regdate);
t.setPassword(password);
t.setEmail(email);
list.add(t);
}
}
}
return list;
}
使用 PreparedStatement
,优
private List<User> selectPreparedStatement(String sql, Object...args) throws SQLException{
if(connection.isClosed()){
connection = getConn();
}
List<User> list;
try (PreparedStatement ps = connection.prepareStatement(sql)) {
list = new ArrayList<>();
for(int i=0;i<args.length;i++){
ps.setObject(i+1, args[i]);
}
try (ResultSet rs = ps.executeQuery()) {
while(rs.next()){
int id = rs.getInt("id");
String name = rs.getString("name");
String regdate = rs.getString("regdate");
String password = rs.getString("password");
String email = rs.getString("email");
User t=new User();
t.setId(id);
t.setName(name);
t.setRegdate(regdate);
t.setPassword(password);
t.setEmail(email);
list.add(t);
}
}
}
return list;
}
接下来比较调用时的区别,对于编写用户登陆的方法:
使用 Statement
,慢,不安全
比如用户自己做了一个页面,就绕过了你的前端表单的验证,直接POST进来了一个
name=123 or 1=1
,
例如name=123 or 1=1&password=123456
,
那么userLogin方法就变成了userLogin("123 or 1=1",123456)
或者name=123/**/or/**/1=1&password=123456
或者name=123 or 1=1 and delete from user&password=123456
public boolean userLogin(String name, String password) throws SQLException{
return !select("select * from user where name=" + name + " and password=" + password).isEmpty();
}
使用 PreparedStatement
,快,安全,预处理会检查参数,防SQL注入
public boolean userLogin(String name, String password) throws SQLException{
return !selectPreparedStatement("select * from user where name=? and password=?", name, password).isEmpty();
}