Statement跟PreparedStatement区别

Statement和PreparedStatement区别:

Statement代码如下：package com.ambow.day19.jdbc;import java.sql.Connection;import java.sql.ResultSet;import java.sql.SQLException;import java.sql.Statement;import com.ambow.day19.jdbc.util.JDBCConAndClo;//注：当执行多插入和多修改时可以使用批量处理addBatch，executeBatch；public class JDBCStatementTest { public static void main(String args[]){Connection con = null;Statement stm = null;ResultSet rs = null;try { //1.加载JDBC驱动和连接数据库con=JDBCConAndClo.getConnectionBao();System.out.println("con="+con);////*用Statement向数据库插入数据：// String sql1="insert into student values(12,'wang','java',55)";//String sql2="insert into student values(13,'wang','java',95)";//String sql3="insert into student values(14,'wadedng','java',45)";//stm = con.createStatement();//stm.executeUpdate(sql1);//stm.executeUpdate(sql2);//stm.executeUpdate(sql3);//System.out.println("插入成功!");//*用Statement从数据库中删除数据：String sql11="delete from student where id=1";String sql12="delete from student where id=2";String sql13="delete from student where id=3";stm = con.createStatement();stm.executeUpdate(sql11);stm.executeUpdate(sql12);stm.executeUpdate(sql13);System.out.println("删除成功!");//*用Statement从数据库查询数据：//2. 执行sql语句：String sql = "select * from student";// 创建一个statement(发送sql)stm = con.createStatement();// 执行查询sql语句rs = stm.executeQuery(sql);// 3.获取sql结果集：while(rs.next()){System.out.print(rs.getString("id")+" ");System.out.print(rs.getString("name")+" ");System.out.print(rs.getString("course")+" ");System.out.println(rs.getString("score"));}} catch (SQLException e) {e.printStackTrace();} finally {//4.关闭数据库，并释放资源：JDBCConAndClo.closeResultSet(rs);JDBCConAndClo.closeStatement(stm);JDBCConAndClo.closeConnection(con);} }} PreparedStatement代码如下：package com.ambow.day19.jdbc;import java.sql.Connection;import java.sql.PreparedStatement;import java.sql.ResultSet;import java.sql.SQLException;import com.ambow.day19.jdbc.util.JDBCConAndClo;//注：当执行多插入和多修改时可以使用批量处理addBatch，executeBatch；public class JDBCPreparedStatementTest { public static void main(String args[]){ Connection con=null; PreparedStatement pstm=null; ResultSet rs=null; try {con=JDBCConAndClo.getConnectionBao();//*用PreparedStatement向数据库中插入数据；//String sql="insert into student values(10,'李四','高数',90)";String sql="insert into student values(?,?,?,?)";//1.先创建PreparedStatement语句(发送slq请求）：pstm=con.prepareStatement(sql);//2.在设置sql语句：pstm.setInt(1,11);pstm.setString(2,"wangqinqin");pstm.setString(3, "hibernate");pstm.setInt(4, 85);//3.再执行sql语句： pstm.executeUpdate(); System.out.println("插入成功!"); //*用PreparedStatement从数据库中删除数据； String sql2="delete from student where id=?"; pstm=con.prepareStatement(sql2); pstm.setInt(1,5); pstm.executeUpdate(); System.out.println("删除成功!"); //*用PreparedStatement从数据库中查询出数据； String sql1="select * from student where id=?"; pstm=con.prepareStatement(sql1); pstm.setInt(1,8); rs=pstm.executeQuery(); System.out.println("查询结果为:"); //循环取得结果；while(rs.next()){System.out.print(rs.getString("id")+" ");System.out.print(rs.getString("name")+" ");System.out.print(rs.getString("course")+" ");System.out.println(rs.getString("score"));}} catch (SQLException e) {e.printStackTrace();}finally{JDBCConAndClo.closeResultSet(rs);JDBCConAndClo.closePreparedStatement(pstm);JDBCConAndClo.closeConnection(con);} }}其中连接和关闭数据库已经封装到另一个包JDBCConAndClo类中：package com.ambow.day19.jdbc.util;import java.sql.Connection;import java.sql.DriverManager;import java.sql.PreparedStatement;import java.sql.ResultSet;import java.sql.SQLException;import java.sql.Statement;public class JDBCConAndClo {public static void main(String args[]) {JDBCConAndClo jc = new JDBCConAndClo();jc.getConnectionBao();} //加载JDBC驱动程序和连接数据库；public static Connection getConnectionBao() {Connection con = null;String URL = "jdbc:oracle:thin:@localhost:1521:ambow";String user = "system";String password = "wqq123";try {Class.forName("oracle.jdbc.driver.OracleDriver");con = DriverManager.getConnection(URL, user, password);if (!con.isClosed()) {System.out.println("连接数据库成功!");}} catch (ClassNotFoundException e) {e.printStackTrace();} catch (SQLException e) {e.printStackTrace();}System.out.println("con=" + con);return con;} //关闭ResultSetpublic static void closeResultSet(ResultSet rs) {if (rs != null) {try {rs.close();rs = null;} catch (SQLException e) {e.printStackTrace();}}}//关闭Statementpublic static void closeStatement(Statement stm) {if (stm != null) {try {stm.close();stm = null;} catch (SQLException e) {e.printStackTrace();}}}//关闭PreparedStatementpublic static void closePreparedStatement(PreparedStatement pstm) {if (pstm != null) {try {pstm.close();pstm = null;} catch (SQLException e) {e.printStackTrace();}}}//关闭Connectionpublic static void closeConnection(Connection con) {if (con != null) {try {con.close();con = null;} catch (SQLException e) {e.printStackTrace();}con = null;}}}

?

<!--EndFragment--> 1 楼 一段汇编 2010-04-18   PreparedStatement似乎还可以防sql注入，具体原理没搞明白。
如果使用statement如下
String sql="select * from webuser where username ='"+user.getUsername()+"' and password ='"+user.getPassword()+"'";
rs=stm.executeQuery(sql);
是很容易被注入的

查看更多 下一篇