Java JDBC
简介
JDBC(Java DataBase Connectivity,Java数据库连接)JDBC 可让Java通过程序操作关系型数据库JDBC 基于驱动程序实现与数据库的连接与操作优点:
统一的API,提供一致的开发过程易于学习,容易上手,代码结构稳定功能强大,执行效率高,可处理海量数据
使用
public static void main(String[] args) {String url = "jdbc:mysql://localhost:3306/learn?useSSL=false&useUnicode=true&characterEncoding=UTF-8&serverTimezone=Asia/Shanghai";String user = "root";String password = "123456";Connection connection = null;Statement statement = null;ResultSet resultSet = null;PreparedStatement preparedStatement = null;try {// 1.加载驱动Class.forName("com.mysql.cj.jdbc.Driver");// 2.获取连接connection = DriverManager.getConnection(url, user, password);System.out.println(connection);// 3.创建Statement, 或PreparedStatement对象statement = connection.createStatement();String sql1 = "select * from user where id = '' or 1=1 or 1=''";String sql2 = "select * from user where id = ?";preparedStatement = connection.prepareStatement(sql2);preparedStatement.setInt(1, 5);// 4.遍历查询结果resultSet = statement.executeQuery(sql1);//resultSet = preparedStatement.executeQuery();while (resultSet.next()) {System.out.println(resultSet.getInt(1)+ ", " + resultSet.getString("name")+ ", " + resultSet.getString(3)+ ", " + resultSet.getDate(4));}} catch (Exception e) {e.printStackTrace();}finally {// 5.关闭所有连接try {if(resultSet != null) {resultSet.close();}if(statement != null) {statement.close();}if(connection != null) {connection.close();}} catch (SQLException throwables) {throwables.printStackTrace();}}}
SQL注入
SQL注入攻击是指利用SQL漏洞越权获取数据的黑客行为SQL注入攻击根源是未对原始SQL中的敏感字符做特殊处理解决方法:放弃Statement改用PreparedStatement处理SQLPreparedStatement :
PreparedStatement 预编译Statement是Statemenit的子接口PreparedStatement对SQL进行参数化,预防SQL注入攻击PreparedStatement比比Statement执行效率更高
例子:往sql语句的where条件中插入:' or 1=1 or 1='
拓展:
工具类:DbUtils连接池:Druid、C3P0
