JDBC ---＞PreparedStatement

1.PreparedStatement的理解：
① PreparedStatement 是Statement的子接口
② An object that represents a precompiled SQL statement. 
③ 可以解决Statement的sql注入问题，拼串问题

1. SQL注入问题：在拼接sql时，有一些sql的特殊关键字参与字符串的拼接。会造成安全性问题
1. 输入用户随便，输入密码：a’ or ‘a’ = 'a
2. sql：select * from user where username = ‘fhdsjkf’ and password = ‘a’ or ‘a’ = ‘a’
2. 解决sql注入问题：使用PreparedStatement对象来解决
3. 预编译的SQL：参数使用?作为占位符

import cn.itcast.java1.JDBCUtils;

import java.sql.*;
import java.util.Scanner;

/**
 * @author 
 * @create 2020-09-03 19:59
 */
public class JDBCDemo8 {
    
    

    public static void main(String[] args) {
    
    
        //1.键盘录入，接受用户名和密码
        Scanner sc = new Scanner(System.in);
        System.out.println("请输入用户名：");
        String username = sc.nextLine();
        System.out.println("请输入密码：");
        String password = sc.nextLine();
        //2.调用方法
        boolean flag = new JDBCDemo8().login2(username, password);
        //3.判断结果，输出不同语句
        if (flag) {
    
    
            //登录成功
            System.out.println("登录成功！");
        } else {
    
    
            System.out.println("用户名或密码错误！");
        }


    }


    /**
     * 登录方法
     */
    public boolean login(String username, String password) {
    
    
        if (username == null || password == null) {
    
    
            return false;
        }
        //连接数据库判断是否登录成功
        Connection conn = null;
        Statement stmt = null;
        ResultSet rs = null;
        //1.获取连接
        try {
    
    
            conn = JDBCUtils.getConnection();
            //2.定义sql
            String sql = "select * from user where username = '" + username + "' and password = '" + password + "' ";
            System.out.println(sql);
            //3.获取执行sql的对象
            stmt = conn.createStatement();
            //4.执行查询
            rs = stmt.executeQuery(sql);
            //5.判断
           /* if(rs.next()){//如果有下一行，则返回true
                return true;
            }else{
                return false;
            }*/
            return rs.next();//如果有下一行，则返回true

        } catch (SQLException e) {
    
    
            e.printStackTrace();
        } finally {
    
    
            JDBCUtils.close(rs, stmt, conn);
        }
        return false;
    }


    /**
     * 登录方法,使用PreparedStatement实现
     */
    public boolean login2(String username,String password){
    
    
        if (username == null || password == null){
    
    
            return false;
        }
        //连接数据库判断是否登录成功
        Connection conn = null;
        PreparedStatement pstmt = null;
        ResultSet rs = null;
        //1.获取连接
        try {
    
    
             conn = JDBCUtils.getConnection();
             //2.定义sql
            String sql = "select * from user where username = ? and password = ?";
            //3.获取执行sql的对象
            pstmt = conn.prepareStatement(sql);
            //给？赋值
            pstmt.setString(1,username);
            pstmt.setString(2,password);
            //4.执行查询，不需要传递sql
            rs = pstmt.executeQuery();
            //5.判断
            return rs.next();
        } catch (SQLException e) {
    
    
            e.printStackTrace();
        }finally {
    
    
            JDBCUtils.close(rs,pstmt,conn);
        }
        return false;
    }
}