Statement Interface
For executing a static SQL statement and returning the results it produces are
Three kinds Statem class
Statement: Created by createStatement, for a simple SQL statement sent (without parameters), there will be the risk of SQL injection
PreparedStatement: Inherited from Statement interface, created by the prepareStatement, for transmitting the sql statement containing one or more input parameters. Statement PreparedStatement object is more efficient than the object, and may prevent SQL injection
CallableStatement: inherited from PreparedStatement, created by the method prePareCall, used to call a stored procedure
Statement methods commonly used methods:
execute (): Run statements, whether set by the return result
executeQuery (): run select statement that returns a result set ResultSet
The number of rows running insert / update / delete operations, return updated: executeUpdate ()
Testing Statement and SQL injection
the try { Class.forName ( " com.mysql.cj.jdbc.Driver " ); // establish a connection: a very time-consuming, the real development in the use of connection pool to manage connections Connection conn = DriverManager.getConnection ( " jdbc: MySQL: // ? localhost: 3306 / testjdbc & useSSL = false & serverTimezone = UTC " , " root " , " *** " ); of Statement STS = conn.createStatement (); // String SQL =" INSERT INTO t_user (username, pwd, regTime) values ( 'Zhao six', 666666, now ()) "; // sts.execute (SQL); //测试SQL注入 String id="5 or 1=1"; String sql="delete from t_user where id="+id; sts.execute(sql); } catch (ClassNotFoundException e) { e.printStackTrace(); } catch (SQLException e) { e.printStackTrace(); } }