Preparedstatement prevents SQL injection

Add data ：

package com.hyc.study03;
import com.hyc.study02.utils.JDBCUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.util.Date;
import java.sql.PreparedStatement;
import java.sql.SQLException;

public class TestInsert {
    
    public static void main(String[] args) {
    
        Connection connection = null;
        PreparedStatement preparedStatement = null;
        ResultSet resultSet = null;
        try {
    
            //3、 Get database connection 
            connection = JDBCUtils.getConnection();

            // Use ？ Placeholders replace parameters 
            String sql = "INSERT INTO `users`(`id`,`NAME`,`PASSWORD`,`email`,`birthday`) " +
                    "VALUES (?,?,?,?,?);";
            //4、 Access to perform sql The object of 
            // precompile sql, First write sql, Then don't execute 
            preparedStatement = connection.prepareStatement(sql);
            // Assign parameters manually 
            preparedStatement.setInt(1, 4);
            preparedStatement.setString(2, "hyc");
            preparedStatement.setString(3, "123456");
            preparedStatement.setString(4, "[email protected]");
            //java.sql.Date  It's database Date , Only the date information is included  , It is java.util.Date（ Contains the information of month, day, hour, minute and second ） Subclasses of 
            preparedStatement.setDate(5, new java.sql.Date(new Date().getTime()));

            //5、 perform sql sentence 
            //6、 Return execution result set 
            int num = preparedStatement.executeUpdate();
            if (num > 0) {
    
                System.out.println(" Insert data succeeded ！");
            }

        } catch (SQLException throwables) {
    
            throwables.printStackTrace();
        } finally {
    
            //7、 Release the connection 
            JDBCUtils.release(connection, preparedStatement, resultSet);
        }
    }
}

Delete data ：

package com.hyc.study03;

import com.hyc.study02.utils.JDBCUtils;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;

public class TestDelete {
    
    public static void main(String[] args) {
    
        Connection connection = null;
        PreparedStatement preparedStatement = null;
        ResultSet resultSet = null;
        try {
    
            //3、 Get database connection 
            connection = JDBCUtils.getConnection();

            // Use ？ Placeholders replace parameters 
            String sql = "DELETE FROM `users` WHERE id=?";
            //4、 Access to perform sql The object of 
            // precompile 
            preparedStatement = connection.prepareStatement(sql);
            // Assign parameters manually 
            preparedStatement.setInt(1, 4);

            //5、 perform sql sentence 
            //6、 Return execution result set 
            int num = preparedStatement.executeUpdate();
            if (num > 0) {
    
                System.out.println(" Delete data succeeded ！");
            }
        } catch (SQLException throwables) {
    
            throwables.printStackTrace();
        } finally {
    
            //7、 Release the connection 
            JDBCUtils.release(connection, preparedStatement, resultSet);
        }
    }
}

Modifying data ：

package com.hyc.study03;
import com.hyc.study02.utils.JDBCUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;

public class TestUpdate {
    
    public static void main(String[] args) {
    
        Connection connection = null;
        PreparedStatement preparedStatement = null;
        ResultSet resultSet = null;
        try {
    
            //3、 Get database connection 
            connection = JDBCUtils.getConnection();

            // Use ？ Placeholders replace parameters 
            String sql = "UPDATE `users` SET `NAME`=?,`email`=? WHERE `id`=?";
            //4、 Access to perform sql The object of 
            // precompile 
            preparedStatement = connection.prepareStatement(sql);
            // Assign parameters manually 
            preparedStatement.setString(1, "zhangsan");
            preparedStatement.setString(2, "[email protected]");
            preparedStatement.setInt(3, 1);

            //5、 perform sql sentence 
            //6、 Return execution result set 
            int num = preparedStatement.executeUpdate();
            if (num > 0) {
    
                System.out.println(" Update data successful ！");
            }
        } catch (SQLException throwables) {
    
            throwables.printStackTrace();
        } finally {
    
            //7、 Release the connection 
            JDBCUtils.release(connection, preparedStatement, resultSet);
        }
    }
}

Query data ：

package com.hyc.study03;
import com.hyc.study02.utils.JDBCUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;

public class TestSelect {
    
    public static void main(String[] args) {
    
        Connection connection = null;
        PreparedStatement preparedStatement = null;
        ResultSet resultSet = null;
        try {
    
            //3、 Get database connection 
            connection = JDBCUtils.getConnection();

            // Use ？ Placeholders replace parameters 
            String sql = "SELECT * FROM `users` WHERE id=?";
            //4、 Access to perform sql The object of 
            // precompile 
            preparedStatement = connection.prepareStatement(sql);
            // Assign parameters manually 
            preparedStatement.setInt(1, 1);

            //5、 perform sql sentence 
            //6、 Return execution result set 
            resultSet = preparedStatement.executeQuery();
            while (resultSet.next()) {
    
                System.out.println(resultSet.getString("NAME"));
            }
        } catch (SQLException throwables) {
    
            throwables.printStackTrace();
        } finally {
    
            //7、 Release the connection 
            JDBCUtils.release(connection, preparedStatement, resultSet);
        }
    }
}

PreparedStatement prevent SQL Inject ：
PreparedStatement prevent SQL The essence of injection is to treat the parameters passed in as characters （ I want to wrap the passed parameters into a new string ）, If there are escape characters , for example ‘ Will be escaped directly . This can avoid string splicing into illegal sql sentence , Cause data leakage .

package com.hyc.study03;
import com.hyc.study02.utils.JDBCUtils;
import java.sql.*;

public class PourIntoSql {
    
    public static void main(String[] args) {
    
        login("'' or '1=1", "123456");
    }

    public static void login(String username, String psw) {
    
        Connection connection = null;
        PreparedStatement preparedStatement = null;
        ResultSet resultSet = null;

        try {
    
            connection = JDBCUtils.getConnection();

            String sql = "SELECT * FROM `users` WHERE `NAME`=? AND `PASSWORD`=?";
            preparedStatement = connection.prepareStatement(sql);
            preparedStatement.setString(1, username);
            preparedStatement.setString(2, psw);

            resultSet = preparedStatement.executeQuery();
            while (resultSet.next()) {
    
                System.out.println(resultSet.getString("NAME"));
                System.out.println("===========================================");
            }
        } catch (SQLException throwables) {
    
            throwables.printStackTrace();
        } finally {
    
            JDBCUtils.release(connection, preparedStatement, resultSet);
        }
    }
}

result ：

stay PreparedStatement Under the influence of , Then try to achieve... Through string splicing SQL The purpose of injection cannot be achieved .