Statement PreparedStatement sub-interface is to be passed with the sql statement as a placeholder, and is provided a method of supplementary placeholder variable, it can be effectively prohibited sql injection , the maximum possible improve performance.
Use PreparedStatement
1. Create a PreparedStatement
PreparedStatement ps=connection.prepareStatement(sql);
2. calls the PreparedStatement setXxx (int index, object val) set value placeholder, index 1 from the beginning.
3. Execute the sql statements: executeQuery () or executeUpdate (), do not need to pass sql statement is executed.
public static void update(String sql,Object...args) {
Connection connection=null;
Statement statement=null;
PreparedStatement preparedStatement=null;
try {
connection=getConnection();
preparedStatement=connection.prepareStatement(sql);
for(int i=0;i<args.length;i++) {
preparedStatement.setObject(i, args[i]);
}
preparedStatement.executeUpdate(sql);
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}finally {
release(null,preparedStatement,connection);
}
}