JDBC防止SQL注入

1.PreparedStatement的应用

作用：1.预编译sql语句，效率高

2.安全，防止sql注入

3.可以动态的填充数据,执行多个同构的SQL语句

 

package com.qf.JDBC;
​
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.util.Scanner;
​
public class JDBC防注入 {
    public static void main(String[] args) throws Exception {
        Scanner scanner = new Scanner(System.in);
        System.out.println("请输入用户名：");
        String username = scanner.nextLine();//next遇到空格结束,nextline能读取空格
        System.out.println("请输入钱数：");
        String money = scanner.nextLine();
        //注册驱动
        Class.forName("com.mysql.jdbc.Driver");
        //获得数据库连接
        String url = "jdbc:mysql://localhost:3306/jdbc?serverTimezone=UTC";
        String name ="root";
        String password = "123456";
        Connection connection = DriverManager.getConnection(url,name,password);
​
        //执行sql语句
        //获得PreparedStatement对象，预编译Sql语句
        PreparedStatement preparedStatement = connection.prepareStatement("select * from accounts where name =? and money=?;");
        //每一个参数都有一个占位符?,在执行SQL语句之前，要给占位符赋值，占位符顺序从一开始
        preparedStatement.setString(1,username);
        preparedStatement.setString(2,money);
        //执行sql语句，并接收结果
        ResultSet resultSet = preparedStatement.executeQuery();
        if(resultSet.next()){
            System.out.println("登录成功！");
        }else{
            System.out.println("登录失败！");
        }
    }
​
​
}

运行结果：

请输入用户名：
A
请输入钱数：
1000
Loading class `com.mysql.jdbc.Driver'. This is deprecated. The new driver class is `com.mysql.cj.jdbc.Driver'. The driver is automatically registered via the SPI and manual loading of the driver class is generally unnecessary.
登录成功！