JDBC--PreparedStatement1

PreparedStatement作用：
1.预编译SQL并执行SQL语句：
①获取PreparedStatement对象
//SQL语句中的参数值，使用？占位符替代
String sql = "select id,username,password from user where username = ? and password = ?";
②设置参数值
PreparedStatement对象：setXxx(参数1，参数2)：给？赋值
Xxx：数据类型 参数1：？的位置编号，从一开始，参数2：？的值
③执行SQL
executeUpdate()或executeQuery() ：不需要再传递sql
PreparedStatement好处：预编译SQL，性能更高；防止SQL注入将敏感字符进行转义
PreparedStatement预编译功能开启：useServerPrepStmts=true
PreparedStatement原理：①在获取PreparedStatement对象时，将sql语句发给mysql服务器进行检查编译(非常耗时)②执行时不再执行这些步骤，速度更快③如果sql模板一样，只需要进行一次检查、编译

sql注入问题解决:
(select id,username,password from user where username ='自己输入的' and password = '' or '1' = '1')
(上述语句会在遇到单引号时转义加上一个,从而解决sql注入)

import java.sql.*;

public class PreparedStatement {
    public static void main(String[] args) throws Exception {
        String url = "jdbc:mysql://127.0.0.1:3306/db1?useSLL=false";
        String name = "root";
        String password = "123456";
        Connection conn = DriverManager.getConnection(url, name, password);

        String username = "jack";
        String pwd  = "247893";

        //定义sql
        String sql = "select id,username,password from user where username = ? and password = ?";

        //获取sql对象
        java.sql.PreparedStatement pstmt = conn.prepareStatement(sql);

        //设置？的值
        pstmt.setString(1,username);
        pstmt.setString(2,pwd);

        //执行sql
        ResultSet rs = pstmt.executeQuery();

        //判断是否成功
        if (rs.next()){
            System.out.println("成功");
        }else {
            System.out.println("失败");
        }

        rs.close();
        conn.close();
        pstmt.close();
    }
}