使用占位符的好处
在SQL语句中使用?来代替具体的数值,可除去繁琐的字符串拼接操作,且可避免SQL注入的风险
String sql="SELECT * FROM user_login WHERE user_password=? AND (user_name=? OR user_telNumber=?)";
调用prepareStatement的setString方法,第一个参数是占位符的位置,第二个参数为值
此处注意一个坑
若使用resultSet = preparedStatement.executeQuery(sql)会抛出异常
java.sql.SQLSyntaxErrorException: You have an error in your SQL syntax; check the manual that corres
应使用不带参数的executeQuery方法,即resultSet = preparedStatement.executeQuery()
完整代码
String sql="SELECT * FROM user_login WHERE user_password=? AND (user_name=? OR user_telNumber=?)";
PreparedStatement preparedStatement = connection.prepareStatement(sql);
preparedStatement.setString(1,password);
preparedStatement.setString(2,username);
preparedStatement.setString(3,username);
ResultSet resultSet = preparedStatement.executeQuery();
if(resultSet.next()){
//Your code
}else{
//Your code
}
