preparedstatment: more readable, safe, prevent sql injection, more efficient
PreparedStatment syntax:
Connection conn = null; PreparedStatement ps = null; ResultSet res = null; try { conn = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:orcl", "scott", "tiger"); // sql 语句 String sql = "select * from userinfos where user_id = ? and user_password = ?"; ps = conn.prepareStatement(sql); // Set the value of the question mark placeholder of sql ps.setString(1 , id); ps.setString(2, password); res = ps.executeQuery();
Package tool class: *
package tool; import java.sql.Connection; import java.sql.DriverManager; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; import java.util.List; public class DBTool { static Connection conn = null; static{ try { Class.forName("oracle.jdbc.driver.OracleDriver"); } catch (ClassNotFoundException e) { e.printStackTrace (); } try { conn = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:orcl","scott","tiger"); } catch (SQLException e) { e.printStackTrace (); } } // Add, delete and modify methods, no need to pass in the operation value public int executeOper(String sql){ int ret = 0 ; try { PreparedStatement ps = DBTool.conn.prepareStatement(sql); ret = ps.executeUpdate(); close(null, ps, conn); } catch (SQLException e) { e.printStackTrace (); } return ret; } // Add, delete and modify methods, sql statement with question mark public int executeOper(String sql,List<Object> list){ int ret = 0 ; try { PreparedStatement ps = DBTool.conn.prepareStatement(sql); for(int i = 0; i < list.size(); i++){ Object obj = list.get(i); if(obj instanceof String){ ps.setString(i+1, obj.toString()); } if(obj instanceof Integer){ ps.setInt(i+1, (int)obj); } if(obj instanceof Float){ ps.setFloat(i+1, (float)obj); } ret = ps.executeUpdate(); } close(null, ps, conn); } catch (SQLException e) { e.printStackTrace (); } return ret; } // Query method without parameters public ResultSet Query(String sql){ ResultSet res = null; try { PreparedStatement ps = DBTool.conn.prepareStatement(sql); res = ps.executeQuery(); //close(null, ps, conn); } catch (SQLException e) { e.printStackTrace (); } return res; } // Query method with question mark public ResultSet Query(String sql,List<Object> list){ ResultSet res = null; try { PreparedStatement ps = DBTool.conn.prepareStatement(sql); for (int i = 0; i < list.size(); i++) { Object obj = list.get(i); if(obj instanceof String){ ps.setString(i+1, obj.toString()); } if(obj instanceof Integer){ ps.setInt(i+1, (int)obj); } if(obj instanceof Float){ ps.setFloat(i+1, (float)obj); } } res = ps.executeQuery(); //close(null, ps, conn); } catch (SQLException e) { e.printStackTrace (); } return res; } public void close(ResultSet res,Statement ps,Connection conn){ try { if(res != null){ res.close(); } if(ps != null){ ps.close(); } if(conn != null){ conn.close(); } } catch (SQLException e) { e.printStackTrace (); } } }