Statement对象

jdbc中的statement 对象用于向数据库发送sql语句，想完成对数据库的增删改查，只需要通过这个对象发送增删改查的语句就好。
statement对象的executeUpdate方法，用于向数据库发送增、删、改的语句，executeUpdate执行完后，将返回一个整数，(增删改语句导致数据库几行数据发生了变化)。
Statement.executeQuery方法用于向数据库发送查询语句，executeQuery方法返回封装查询结果的的ResultSet对象。

增

使用executeUpdate(String sql)方法完成对数据库添加操作

statement statement = conn.createStatement();
String sql = "insert into user(...)values(...)";
int num = statement.executeUpdate(sql);
if(num>0){ System.out.println("插入成功!!!");}

删

使用executeUpdate(String sql)方法完成对数据库删除操作

statement statement = conn.createStatement();
String sql = "delete from user where id = ?";
int num = statement.executeUpdate(sql);
if(num>0){ System.out.println("删除成功!!!");}

改

使用executeUpdate(String sql)方法完成对数据库修改操作

statement statement = conn.createStatement();
String sql = "update user set name = '' where id = ?";
int num = statement.executeUpdate(sql);
if(num>0){ System.out.println("修改成功!!!");}

查

使用executeQuery(String sql)方法完成对数据库查询操作

statement statement = conn.createStatement();
String sql = "select * from user ";
ResultSet rs = statement.executeQuery(sql);
while(rs.next){//根据获取列的数据类型，分别调用rs的相应方法映射到java对象中
}

代码实现

1、提取成工具类

import java.io.InputStream;
import java.sql.*;
import java.util.Properties;public class JdbcUtils {private static String driver = null;private static String url = null;private static String username = null;private static String password = null;static{try {InputStream in = JdbcUtils.class.getClassLoader().getResourceAsStream("jdbc.properties");Properties properties = new Properties();properties.load(in);driver = properties.getProperty("driver");url = properties.getProperty("url");username =  properties.getProperty("username");password = properties.getProperty("password");//1.驱动只需加载一次Class.forName(driver);} catch (Exception e) {e.printStackTrace();}}//获取连接public static Connection getConnection() throws SQLException {return DriverManager.getConnection(url,username,password);}//释放连接public static void release(Connection conn, Statement statement, ResultSet rs) throws SQLException {if (rs != null) {rs.close();}if(statement != null){statement.close();}if(conn != null){conn.close();}}
}

在src目录下新建properties文件

driver = com.mysql.cj.jdbc.Driver
url = jdbc:mysql://localhost:3306/school?useUnicode=true&characterEncoding=UTF8&useSSL=false&serverTimezone=UTC&rewriteBatchedStatements=true
username = root
password = 123456

2、编写增删改方法(executeUpdate)

增加

import java.sql.Connection;
import java.sql.SQLException;
import java.sql.Statement;public class TestInsert {public static void main(String[] args) throws SQLException {Connection conn = null;Statement statement = null;conn = JdbcUtils.getConnection();statement = conn.createStatement();String sql = "insert into `student` (`studentno`,`loginpwd`,`studentname`,`sex`,`gradeid`,`phone`,`address`,`email`)" +"values(5,'123456','潮汕奴仔','1','1','154034','广东汕头','12343584@qq.com');";int i = statement.executeUpdate(sql);if (i > 0) {System.out.println("插入数据成功");}JdbcUtils.release(conn,statement,null);}
}

删除

import com.csnz.lession2.utils.JdbcUtils;
import java.sql.Connection;
import java.sql.SQLException;
import java.sql.Statement;public class TestDelete {public static void main(String[] args) {Connection conn = null;Statement statement = null;try {conn = JdbcUtils.getConnection();statement = conn.createStatement();String sql = "delete from student where `studentno` = 5";int i = statement.executeUpdate(sql);if(i>0){System.out.println("删除成功");}} catch (SQLException e) {e.printStackTrace();}finally {try {JdbcUtils.release(conn,statement,null);} catch (SQLException e) {e.printStackTrace();}}}
}

修改

import com.csnz.lession2.utils.JdbcUtils;
import java.sql.Connection;
import java.sql.SQLException;
import java.sql.Statement;public class TestUpdate {public static void main(String[] args) {Connection conn = null;Statement statement = null;try {conn = JdbcUtils.getConnection();statement = conn.createStatement();String sql = "update student set `studentName` = '潮汕人' where `studentno` = 5";int i = statement.executeUpdate(sql);if(i>0){System.out.println("更新成功");}} catch (SQLException e) {e.printStackTrace();}finally {try {JdbcUtils.release(conn,statement,null);} catch (SQLException e) {e.printStackTrace();}}}
}

3、编写查询方法(executeQuery)

import com.csnz.lession2.utils.JdbcUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;public class TestSelect {public static void main(String[] args) {Connection conn = null;Statement statement = null;ResultSet rs = null;try {conn = JdbcUtils.getConnection();statement = conn.createStatement();String sql = "select * from student ";rs  = statement.executeQuery(sql);while(rs.next()){System.out.println("学生名："+rs.getString("studentName"));System.out.println("学生密码："+rs.getString("loginpwd"));}} catch (SQLException e) {e.printStackTrace();}finally {try {JdbcUtils.release(conn,statement,rs);} catch (SQLException e) {e.printStackTrace();}}}
}

SQL注入问题

SQL存在漏洞，会被攻击导致数据泄露，sql会被拼接or

正常版本

import com.csnz.lession2.utils.JdbcUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;public class TestSqlInject {public static void main(String[] args) {login("潮汕人","123456");}public static void login(String username,String password){Connection conn = null;Statement statement = null;ResultSet rs = null;try {conn = JdbcUtils.getConnection();statement = conn.createStatement();//正常sql//String sql = "select * from student where `studentname`='潮汕人' and `loginpwd` = '123456' ";String sql = "select * from student where `studentname`='"+username+"' and `loginpwd` = '"+password+"' ";rs = statement.executeQuery(sql);while (rs.next()){System.out.println("姓名："+rs.getString("studentname"));System.out.println("密码："+rs.getString("loginpwd"));System.out.println("地址："+rs.getString("address"));}} catch (SQLException e) {e.printStackTrace();} finally {try {JdbcUtils.release(conn,statement,rs);} catch (SQLException e) {e.printStackTrace();}}}
}

有漏洞版本

import com.csnz.lession2.utils.JdbcUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;public class TestSqlInject {public static void main(String[] args) {login(" 'or'1=1 "," 'or'1=1 ");}public static void login(String username,String password){Connection conn = null;Statement statement = null;ResultSet rs = null;try {conn = JdbcUtils.getConnection();statement = conn.createStatement();//正常sql//String sql = "select * from student where `studentname`='潮汕人' and `loginpwd` = '123456' ";String sql = "select * from student where `studentname`='"+username+"' and `loginpwd` = '"+password+"' ";rs = statement.executeQuery(sql);while (rs.next()){System.out.println("姓名："+rs.getString("studentname"));System.out.println("密码："+rs.getString("loginpwd"));System.out.println("地址："+rs.getString("address"));}} catch (SQLException e) {e.printStackTrace();} finally {try {JdbcUtils.release(conn,statement,rs);} catch (SQLException e) {e.printStackTrace();}}}
}

那么如何解决此注入问题呢

PreparedStatement对象

preparedStatement 可以防止sql注入，效果更好

增

import com.csnz.lession2.utils.JdbcUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.SQLException;public class TestInsert{public static void main(String[] args) {Connection conn = null;PreparedStatement pstm = null;try {//获取数据库连接conn = JdbcUtils.getConnection();//先写sql 使用？做占位符String sql = "insert into student (`studentno`,`loginpwd`,`studentname`,`sex`)values(?,?,?,?)";//预编译sqlpstm = conn.prepareStatement(sql);//手动给参数赋值pstm.setInt(1,6);pstm.setString(2,"666666");pstm.setString(3,"奴仔");pstm.setInt(4,1);//执行 注意此时sql无需放在方法中int i = pstm.executeUpdate();if(i>0){System.out.println("插入成功");}} catch (SQLException e) {e.printStackTrace();}finally {try {JdbcUtils.release(conn,pstm,null);} catch (SQLException e) {e.printStackTrace();}}}
}

删

import com.csnz.lession2.utils.JdbcUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.SQLException;public class TestDelete {public static void main(String[] args) {Connection conn = null;PreparedStatement pstm = null;try {//获取数据库连接conn = JdbcUtils.getConnection();//先写sql 使用？做占位符String sql = "delete from student where `studentno` = ?";//预编译sqlpstm = conn.prepareStatement(sql);//手动给参数赋值pstm.setInt(1,6);//执行 注意此时sql无需放在方法中int i = pstm.executeUpdate();if(i>0){System.out.println("删除成功");}} catch (SQLException e) {e.printStackTrace();}finally {try {JdbcUtils.release(conn,pstm,null);} catch (SQLException e) {e.printStackTrace();}}}
}

改

import com.csnz.lession2.utils.JdbcUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.SQLException;public class TestUpdate {public static void main(String[] args) {Connection conn = null;PreparedStatement pstm = null;try {//获取数据库连接conn = JdbcUtils.getConnection();//先写sql 使用？做占位符String sql = "update student set `studentname`=? where `studentNo`=?";//预编译sqlpstm = conn.prepareStatement(sql);//手动给参数赋值pstm.setString(1,"禾埠");pstm.setInt(2,6);//执行 注意此时sql无需放在方法中int i = pstm.executeUpdate();if(i>0){System.out.println("更新成功");}} catch (SQLException e) {e.printStackTrace();}finally {try {JdbcUtils.release(conn,pstm,null);} catch (SQLException e) {e.printStackTrace();}}}
}

查

import com.csnz.lession2.utils.JdbcUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;public class TestSelect {public static void main(String[] args) {Connection conn = null;PreparedStatement pstm = null;ResultSet rs = null;try {//获取数据库连接conn = JdbcUtils.getConnection();//先写sql 使用？做占位符//preparedStatement防止sql注入的本质，把传递进来的参数当做字符//假设其中存在转义字符，比如 ` 会被直接转义String sql = "select * from student where `studentname`=? and `loginpwd` = ?";//预编译sqlpstm = conn.prepareStatement(sql);//手动给参数赋值
//            pstm.setString(1,"潮汕人");
//            pstm.setString(2,"123456");//PreparedStatement避免了sql注入问题pstm.setString(1," '' or 1=1 ");pstm.setString(2," '' or 1=1 ");//执行 注意此时sql无需放在方法中rs = pstm.executeQuery();while(rs.next()){System.out.println("姓名："+rs.getString("studentName"));System.out.println("密码："+rs.getString("loginpwd"));System.out.println("地址："+rs.getString("address"));}} catch (SQLException e) {e.printStackTrace();}finally {try {JdbcUtils.release(conn,pstm,null);} catch (SQLException e) {e.printStackTrace();}}}
}

preparedStatement防止sql注入的本质，把传递进来的参数当做字符，假设其中存在转义字符，比如 ` 会被直接转义

梦回JDBC —— (Statement对象)相关推荐

JDBC(一)——statement对象、PreparedStatement对象
文章目录 1. 数据库驱动 2. JDBC 3. 第一个JDBC程序 4. statement对象 4.1 简述 4.2 CRUD操作 4.3 代码实现 5. PreparedStatement对象 ...
10.statement对象实例（executeUpdate方法以及executeQuery方法），JDBC工具类编写
1.JDBC工具类: 2.增删改:executeUpdate() 删除指定数据: 插入一条数据: 更新数据: 3.查:executeQuery() statement对象:Statement 是 Ja ...
Java数据库连接（JDBC）之二：Statement对象和PreparedStatement对象的使用
1,Statement对象是Java 执行数据库操作的一个重要方法,用于在已经建立数据库连接的基础上,向数据库发送要执行的SQL语句.Statement对象,用于执行不带参数的简单SQL语句. Sta ...
JDBC预处理对象prepareStatement
JDBC预处理对象prepareStatement概述一.SQL注入问题 SQL注入:用户输入的内容作为了SQL语句语法的一部分,改变了原有SQL真正的意义. 假设有登录案例SQL语句如下: SEL ...
java面试题3 牛客:下面有关jdbc statement的说法错误的是
下面有关jdbc statement的说法错误的是? A JDBC提供了Statement.PreparedStatement 和 CallableStatement三种方式来执行查询语句, 其中 S ...
Java JDBC Statement
使用Connection对象创建Statement对象 Statement createStatement() 创建一条 SQL 语句对象 Statement接口描述 int executeUpda ...
Jdbc -Statement
Java提供了 Statement.PreparedStatement 和 CallableStatement三种方式来执行查询语句: PreparedStatement是用于执行参数化查询预编译s ...
Statement对象最新解析
MySQL三十一:Statement对象 Jdbc中的statement对象用于向数据库发送SQL语句,想完成对数据库的增删改查,只需要通过这个对象向数据库发送增删改查语句即可. Statement对 ...
com.microsoft.sqlserver.jdbc.SQLServerException: 对象名 'Monkey' 无效。
主要代码 package chp13;import java.sql.Connection; import java.sql.DriverManager; import java.sql.SQLExc ...

梦回JDBC —— (Statement对象)