SQL注入漏洞的解決PreparedStetament
阿新 • • 發佈:2020-10-07
JDBCUtil 工具集
package com.imooc.jdbc.utils; import java.io.IOException; import java.io.InputStream; import java.sql.Connection; import java.sql.DriverManager; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; import java.util.Properties; public class JDBCUtil {private static final String CLASSLOAD; private static final String MYSQLURL; private static final String USERNAME; private static final String PASSWORD; static { //使用properties來載入類配置檔案 //先例項化properties物件 Properties p = new Properties();//使用class.getClassLoader()所得到的java.lang.ClassLoader的 //getResourceAsStream()方法 //getResourceAsStream(name)方法的引數必須是包路徑+檔名+.字尾 //否則會報空指標異常 InputStream dataLoad = JDBCUtil.class.getClassLoader().getResourceAsStream("mysql.properties"); try { p.load(dataLoad); }catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); } //從properties檔案中提取配置引數 CLASSLOAD = p.getProperty("classLoad").trim(); MYSQLURL = p.getProperty("MYSQLURL").trim(); USERNAME = p.getProperty("USERNAME").trim(); PASSWORD = p.getProperty("passWord").trim(); System.out.println(CLASSLOAD); System.out.println(MYSQLURL); System.out.println(USERNAME); System.out.println(PASSWORD); } public static void loadClass() throws ClassNotFoundException { Class.forName(CLASSLOAD); } public static Connection getConnection() throws ClassNotFoundException, SQLException { loadClass(); Connection conn = DriverManager.getConnection(MYSQLURL, USERNAME,PASSWORD); return conn; } /** * 資料過載解決使用者自己寫入 * @param CLASSLOAD 驅動匯入 * @param MYSQLURL 資料連線url和資料名 * @param USERNAME 使用者名稱 * @param PASSWORD 密碼 * @return * @throws ClassNotFoundException * @throws SQLException */ // public static Connection getConnection( // String CLASSLOAD,String MYSQLURL,String USERNAME, String PASSWORD // ) throws ClassNotFoundException, SQLException { // // Class.forName(CLASSLOAD); // Connection conn = DriverManager.getConnection(MYSQLURL, USERNAME, PASSWORD); // return conn; // // } public static void release(Connection conn,Statement stmt) { if(stmt != null) { try { stmt.close(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } stmt = null; } if(conn != null) { try { conn.close(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } conn = null; } } public static void release(Connection conn,Statement stmt,ResultSet resultSet) { if(stmt != null) { try { stmt.close(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } stmt = null; } if(conn != null) { try { conn.close(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } conn = null; } if(resultSet != null) { try { resultSet.close(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } } } }
PreparedStetament 的使用:
儲存資料:
/** * 學習PreparedStatement的資料儲存 */ public void insert() { Connection conn = null; PreparedStatement pstmt = null; boolean flag = false; try { //連線資料庫 conn = JDBCUtil.getConnection(); //編寫插入的sql資料 String sql = "insert emp(username,age,sex,addr,depId) values(?,?,?,?,?)"; //建立執行sql的物件 pstmt = conn.prepareStatement(sql); pstmt.setString(1, "無上"); pstmt.setInt(2, 26); pstmt.setString(3, "女"); pstmt.setString(4, "香港"); pstmt.setInt(5, 2); flag = pstmt.execute(); if(flag) { System.out.print("資料新增成功"); } } catch (ClassNotFoundException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); }finally { //釋放資源 JDBCUtil.release(conn, pstmt); } }
修改資料
@Test /** * 修改資料 */ public void update() { Connection conn = null; PreparedStatement pstmt = null; try { //連線資料 conn = JDBCUtil.getConnection(); //編寫sql String sql = "update emp set username=?,sex=? where id=?"; //預處理sql pstmt = conn.prepareStatement(sql); //設定引數 pstmt.setString(1, "小天"); pstmt.setString(2, "男"); pstmt.setInt(3, 7); //提交資料 int num = pstmt.executeUpdate(); if(num > 0) { System.out.println("資料修改成功"); } } catch (ClassNotFoundException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); } finally { //釋放資源 JDBCUtil.release(conn, pstmt); } }
查詢資料
@Test /** * 查詢一條資料 */ public void first() { Connection conn = null; PreparedStatement pstmt = null; ResultSet rs = null; try { //連線資料 conn = JDBCUtil.getConnection(); //編寫 String sql = "select id,username from emp where id=?"; //預編譯 pstmt = conn.prepareStatement(sql); //設定引數 pstmt.setInt(1, 7); //查詢結果集 rs = pstmt.executeQuery(); if(rs.next()) { System.out.print(rs.getInt("id")+"----"+rs.getString("username")); } } catch (ClassNotFoundException | SQLException e) { // TODO Auto-generated catch block e.printStackTrace(); }finally { JDBCUtil.release(conn, pstmt, rs); } }