1. What is prepareStatement
- prepareStatement is an object that represents a precompiled SQL statement.
2. Why prepareStatement
1. The implementation of the previous statement, is to splice together sql statement and then execute. In this case, if the sql statement variable with the keyword database, then considered to be together is the key word, rather than ordinary strings.
2. When using prepareStatement, pre-process a given SQL statement and its syntax checking, use the SQL statement? After resuming as a placeholder to replace the incoming variable, the variable will be regarded as coming back without any string of keywords.
3. The basic syntax
- Use statement
public void login(String username,int password) {
Connection conn = null;
Statement st = null;
ResultSet rs = null;
PreparedStatement ps = null;
try{
conn = JDBCUtil.getConn();
st = conn.createStatement();
String sql = "select * from student where name='"+username+"' and age = '"+password+"'";
rs = st.executeQuery(sql);
if(rs.next()){
String name = rs.getString("name");
int age = rs.getInt("age");
System.out.println("name = "+username+" age = "+password);
System.out.println("登录成功");
}else{
System.out.println("登陆失败");
}
}catch (Exception e){
System.out.println("异常,登陆失败");
e.printStackTrace();
}
- Use prepareStatement
public void login(String username,int password) {
Connection conn = null;
Statement st = null;
ResultSet rs = null;
PreparedStatement ps = null;
try{
conn = JDBCUtil.getConn();
String sql = "select * from student where name = ? and age = ?";
ps = conn.prepareStatement(sql);
ps.setString(1,username);
ps.setInt(2,password);
rs = ps.executeQuery();
if(rs.next()){
String name = rs.getString("name");
int age = rs.getInt("age");
System.out.println("name = "+username+" age = "+password);
System.out.println("登录成功");
}else{
System.out.println("登陆失败");
}
}catch (Exception e){
System.out.println("异常,登陆失败");
e.printStackTrace();
}
- This is a login method two parameters are passed, using this method when the same value "username" and "password" parameters and two output databases "Login successful" otherwise "Login failed." Except that the processing of the incoming parameters, the parameters written directly to the SQL statement and use statement processing. And when preparestatement deal with? As a placeholder, then incoming data is processed.
