JDBC查询操作的PreparedStatement和Statement的比较

版权声明：[email protected] https://blog.csdn.net/zhaoxuyang1997/article/details/82711068

两段代码

使用 Statement ，劣

private List<User> select(String sql) throws SQLException{
        if(connection.isClosed()){
            connection = getConn();
        }
        List<User> list;
        try (Statement st = connection.createStatement()) {
            list = new ArrayList<>();
            try (ResultSet rs = st.executeQuery(sql)) {
                while(rs.next()){
                    int id = rs.getInt("id");
                    String name = rs.getString("name");
                    String regdate = rs.getString("regdate");
                    String password = rs.getString("password");
                    String email = rs.getString("email");

                    User t=new User();
                    t.setId(id);
                    t.setName(name);
                    t.setRegdate(regdate);
                    t.setPassword(password);
                    t.setEmail(email);
                    list.add(t);
                }
            }
        }
        return list;
    }

使用 PreparedStatement ，优

private List<User> selectPreparedStatement(String sql, Object...args) throws SQLException{
        if(connection.isClosed()){
            connection = getConn();
        }
        List<User> list;
        try (PreparedStatement ps = connection.prepareStatement(sql)) {
            list = new ArrayList<>();
            for(int i=0;i<args.length;i++){
                ps.setObject(i+1, args[i]);
            }
            try (ResultSet rs = ps.executeQuery()) {
                while(rs.next()){
                    int id = rs.getInt("id");
                    String name = rs.getString("name");
                    String regdate = rs.getString("regdate");
                    String password = rs.getString("password");
                    String email = rs.getString("email");

                    User t=new User();
                    t.setId(id);
                    t.setName(name);
                    t.setRegdate(regdate);
                    t.setPassword(password);
                    t.setEmail(email);
                    list.add(t);
                }
            }
        }
        return list;
    }

---

接下来比较调用时的区别，对于编写用户登陆的方法：

使用 Statement ，慢，不安全

比如用户自己做了一个页面，就绕过了你的前端表单的验证，直接POST进来了一个
name=123 or 1=1 ，
例如name=123 or 1=1&password=123456，
那么userLogin方法就变成了userLogin("123 or 1=1",123456)

或者name=123/**/or/**/1=1&password=123456
或者name=123 or 1=1 and delete from user&password=123456

    public boolean userLogin(String name, String password) throws SQLException{
        return !select("select * from user where  name=" + name + " and password=" + password).isEmpty();
    }

使用 PreparedStatement ，快，安全，预处理会检查参数，防SQL注入

    public boolean userLogin(String name, String password) throws SQLException{
        return !selectPreparedStatement("select * from user where  name=? and password=?", name, password).isEmpty();
    }