Statement与PreparedStatement的区别:
1. PreparedStatement可以写动态参数化的查询
用PreparedStatement你可以写带参数的sql查询语句,通过使用相同的sql语句和不同的参数值来做查询比创建一个不同的查询语句要好
2. PreparedStatement比 Statement 更快
PreparedStatement用来执行SQL语句查询的时候。数据库系统会对sql语句进行预编译处理,预处理语句将被预先编译好,这条预编译的sql查询语句能在将来的查询中重用,这样一来,它比Statement对象生成的查询速度更快。
3. PreparedStatement可以防止SQL注入式攻击
如果你是做Java web应用开发的,那么必须熟悉那声名狼藉的SQL注入式攻击。Sony就遭受了SQL注入攻击,被盗用了一些Sony play station(PS机)用户的数据。在SQL注入攻击里,恶意用户通过SQL元数据绑定输入。
例如:
sql = "SELECT * FROM users WHERE name = '" + userName + "' and pw = '"+ passWord +"';"
恶意填入:
userName = "1' OR '1'='1";
passWord = "1' OR '1'='1";
那么最终SQL语句变成了:
sql = "SELECT * FROM users WHERE name = '1' OR '1'='1' and pw = '1' OR '1'='1';"
PreparedStatement的局限性
尽管PreparedStatement非常实用,但是它仍有一定的限制。
为了防止SQL注入攻击,PreparedStatement不允许一个占位符(?)有多个值,在执行有IN子句查询的时候这个问题变得棘手起来。
注意:占位符索引位置从1开始,而不是从0开始。
接下来给大家展示使用使用·PreparedStatement·执行sql增、删、改、查语句的过程:
实体类
package zr.com.chiansoft.vo;
import java.util.Date;
public class Emp {
private int empno;
private String ename;
private String job;
private int mgr;
private Date hiredate;
private double sal;
private double comm;
private int deptno;
public Emp() {
super();
// TODO Auto-generated constructor stub
}
public Emp(int empno, String ename, String job, int mgr, Date hiredate, double sal, double comm, int deptno) {
super();
this.empno = empno;
this.ename = ename;
this.job = job;
this.mgr = mgr;
this.hiredate = hiredate;
this.sal = sal;
this.comm = comm;
this.deptno = deptno;
}
public Emp(String ename, String job, int mgr, Date hiredate, double sal, double comm, int deptno) {
super();
this.ename = ename;
this.job = job;
this.mgr = mgr;
this.hiredate = hiredate;
this.sal = sal;
this.comm = comm;
this.deptno = deptno;
}
public int getEmpno() {
return empno;
}
public void setEmpno(int empno) {
this.empno = empno;
}
public String getEname() {
return ename;
}
public void setEname(String ename) {
this.ename = ename;
}
public String getJob() {
return job;
}
public void setJob(String job) {
this.job = job;
}
public int getMgr() {
return mgr;
}
public void setMgr(int mgr) {
this.mgr = mgr;
}
public Date getHiredate() {
return hiredate;
}
public void setHiredate(Date hiredate) {
this.hiredate = hiredate;
}
public double getSal() {
return sal;
}
public void setSal(double sal) {
this.sal = sal;
}
public double getComm() {
return comm;
}
public void setComm(double comm) {
this.comm = comm;
}
public int getDeptno() {
return deptno;
}
public void setDeptno(int deptno) {
this.deptno = deptno;
}
@Override
public String toString() {
return "Emp [empno=" + empno + ", ename=" + ename + ", job=" + job + ", mgr=" + mgr + ", hiredate=" + hiredate
+ ", sal=" + sal + ", comm=" + comm + ", deptno=" + deptno + "]";
}
}
dao接口
package zr.com.chinasoft.dao;
import java.util.List;
import zr.com.chiansoft.vo.Emp;
public interface EmpDao {
/**
* 作者:_借东西的小人
* 向表中增加员工信息
*/
boolean addEmp(Emp emp);
/**
* 通过empno删除员工信息
*/
boolean deleteByEmpno(int empno);
/**
* 通过ename删除员工信息
*/
boolean deleteByEname(String ename);
/**
* 通过empno修改员工信息
*/
boolean update(Emp emp);
/**
* 查询所有员工信息
*/
List<Emp> QueryEmp();
/**
* 通过ename查询员工信息
*/
List<Emp> QueryEmpByEname(Emp emp);
}
工具类
package zr.com.chiansoft.dbUtils;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import zr.com.chiansoft.vo.Emp;
public class DBUtils {
static String user = "SCOTT";
static String password = "TIGER";
static Connection conn = null;
static PreparedStatement ps = null;
/**
* 获取连接
*/
public static Connection getConnection(String user,String password){
Connection conn = null;
try {
// 1.加载驱动
Class.forName("oracle.jdbc.driver.OracleDriver");
// 2.获取连接对象
String url = "jdbc:oracle:thin:@localhost:1521:xe";
conn = DriverManager.getConnection
(url,"SCOTT","TIGER");
//
} catch (ClassNotFoundException | SQLException e) {
e.printStackTrace();
}
return conn;
}
/**
* 更新语句
*/
public static boolean update(String sql,Object obj[]){
conn = getConnection(user, password);
int count = 0;
try {
// 预编译sql
ps = conn.prepareStatement(sql);
for(int i=0;i<obj.length;i++){
// 给sql语句占位符赋值
ps.setObject(i+1, obj[i]);
}
count = ps.executeUpdate();
System.out.println("数据表更新"+count+"条");
} catch (SQLException e) {
e.printStackTrace();
}finally{
close(null, ps, conn);
}
return count==0?false:true;
}
/**
* 查询全部语句
*/
public static List<Emp> QueryAll(String sql,ResultSet rs){
conn = getConnection(user, password);
try {
// 预编译sql
ps=conn.prepareStatement(sql);
// 执行sql
rs = ps.executeQuery();
} catch (SQLException e1) {
e1.printStackTrace();
}
List<Emp> list = new ArrayList<>();
try {
//遍历rs
while(rs.next()){
int empno = rs.getInt(1);
String ename1 = rs.getString(2);
String job = rs.getString(3);
int mgr = rs.getInt(4);
Date hiredate = rs.getDate(5);
double sal = rs.getDouble(6);
double comm = rs.getDouble(7);
int deptno = rs.getInt(8);
Emp emp = new Emp(empno,ename1, job, mgr, hiredate, sal, comm, deptno);
list.add(emp);
}
} catch (SQLException e) {
e.printStackTrace();
}
return list;
}
/**
*按照条件查询语句
*/
public static List<Emp> Query(String sql,ResultSet rs,Object obj[]){
conn = getConnection(user, password);
try {
// 预编译sql
ps=conn.prepareStatement(sql);
// 给sql语句占位符赋值
ps.setObject(1, obj[0]);
// 执行sql
rs = ps.executeQuery();
} catch (SQLException e1) {
e1.printStackTrace();
}
List<Emp> list = new ArrayList<>();
try {
// 遍历rs
while(rs.next()){
int empno = rs.getInt(1);
String ename1 = rs.getString(2);
String job = rs.getString(3);
int mgr = rs.getInt(4);
Date hiredate = rs.getDate(5);
double sal = rs.getDouble(6);
double comm = rs.getDouble(7);
int deptno = rs.getInt(8);
Emp emp = new Emp(empno,ename1, job, mgr, hiredate, sal, comm, deptno);
list.add(emp);
}
} catch (SQLException e) {
e.printStackTrace();
}
return list;
}
/**
* 关闭连接
*/
public static void close(ResultSet rs,Statement stat,Connection conn){
try {
// 6.关闭连接
if(rs!=null){
rs.close();
}
if(stat!=null){
stat.close();
}
if(conn!=null){
conn.close();
}
} catch (SQLException e) {
e.printStackTrace();
}
}
}
dao接口的实现
package zr.com.chiansoft.dao.impl;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.util.ArrayList;
import java.util.List;
import zr.com.chiansoft.dbUtils.DBUtils;
import zr.com.chiansoft.vo.Emp;
import zr.com.chinasoft.dao.EmpDao;
public class EmpDaoImpl implements EmpDao{
// 数据库用户名
String user = "SCOTT";
// 数据库密码
String password = "TIGER";
Connection conn = null;
PreparedStatement ps = null;
ResultSet rs = null;
boolean re = false;
int count = 0;
List<Emp> list = new ArrayList<Emp>();
/**
* 向表中增加员工信息
*/
@Override
public boolean addEmp(Emp emp) {
// 1.加载驱动
// 2.获取连接对象
// 3.编写sql语句
String sql = "insert into emp (empno,ename,job,mgr,hiredate,sal,comm,deptno) "
+ "values (?,?,?,?,?,?,?,?)";
Object obj[] = {emp.getEmpno(),emp.getEname(),emp.getJob(),emp.getMgr(),
emp.getHiredate(),emp.getSal(),emp.getComm(),emp.getDeptno()};
DBUtils.update(sql, obj);
// 6.关闭连接
DBUtils.close(null, ps, conn);
return re;
}
/**
* 通过empno删除员工信息
*/
@Override
public boolean deleteByEmpno(int empno) {
String sql = "delete from emp where empno=?";
Object obj[] = {empno};
re = DBUtils.update(sql, obj);
DBUtils.close(null, ps, conn);
return re;
}
/**
* 通过ename删除员工信息
*/
@Override
public boolean deleteByEname(String ename) {
String sql = "delete from emp where ename=?";
Object obj[] = {ename};
re = DBUtils.update(sql, obj);
DBUtils.close(null, ps, conn);
return re;
}
/**
* 通过empno修改员工信息
*/
@Override
public boolean update(Emp emp) {
String sql = "update emp set ename=?,job=?,mgr=?,hiredate=?,sal=?,comm=?,deptno=? where empno=?";
Object obj[] = {emp.getEname(),emp.getJob(),emp.getMgr(),
emp.getHiredate(),emp.getSal(),emp.getComm(),emp.getDeptno(),emp.getEmpno()};
re = DBUtils.update(sql, obj);
DBUtils.close(null, ps, conn);
return re;
}
/**
* 查询所有员工信息
*/
@Override
public List<Emp> QueryEmp() {
String sql = "select * from emp";
list = DBUtils.QueryAll(sql,rs);
DBUtils.close(rs, ps, conn);
return list;
}
/**
* 通过ename查询员工信息
*/
@Override
public List<Emp> QueryEmpByEname(Emp emp) {
String sql = "select * from emp where ename=?";
Object []obj = {emp.getEname()};
list = DBUtils.Query(sql,rs,obj);
DBUtils.close(rs, ps, conn);
return list;
}
}
测试类
package zr.com.chinasoft.test;
import java.sql.Date;
import java.util.List;
import zr.com.chiansoft.dao.impl.EmpDaoImpl;
import zr.com.chiansoft.vo.Emp;
import zr.com.chinasoft.dao.EmpDao;
public class EmpTest {
public static void main(String[] args) {
EmpDao dao = new EmpDaoImpl();
Emp emp = new Emp();
System.out.println("添加员工测试");
emp.setEmpno(1122);
emp.setEname("lilil");
emp.setJob("Cliker");
emp.setHiredate(Date.valueOf("2017-05-05"));
emp.setSal(1111);
emp.setComm(100);
emp.setDeptno(10);
dao.addEmp(emp);
System.out.println("通过empno删除员工信息测试");
dao.deleteByEmpno(1122);
System.out.println("通过ename删除员工信息测试");
dao.deleteByEname("狼狼");
System.out.println("通过empno修改员工信息测试");
emp.setEmpno(1000);
emp.setEname("泡泡");
emp.setJob("Mouse");
emp.setMgr(100);
emp.setHiredate(Date.valueOf("1999-9-9"));
emp.setSal(6666);
emp.setComm(666);
emp.setDeptno(10);
dao.update(emp);
System.out.println("查询所有员工信息测试");
List<Emp> list = dao.QueryEmp();
for(Emp empInfo:list){
System.out.println(empInfo);
}
System.out.println("通过ename查询员工信息测试");
emp.setEname("韩跑跑");
List<Emp> list1 = dao.QueryEmpByEname(emp);
for(Emp empInfo:list1){
System.out.println(empInfo);
}
}
}
完整的项目代码已经上传到github中了,访问地址:github
QQ截图20170919143859.png
在学习的过程中如果遇到什么问题,欢迎大家提问。
