Introduction of JDBC preparestatement+ database connection pool

jdbc-PrepareStatement

1. PrepareStatement The role of

   precompile SQL Statement and execute ; The prevention of SQL Injection problem

2. SQL Description of injection ：

   sql Injection is to modify the pre-defined by operation input SQL sentence , The method used to execute code to attack the server
   For example, when we log in ： Need to enter account number and password , When we enter the password ‘or’1’='1 It's going to produce sql Inject , Look at the analysis below ：

@Test
public void testLogin() throws  Exception {
    
    //2.  Get the connection ： If the connection is local mysql And the port is the default  3306  Can simplify writing 
    String url = "jdbc:mysql:///db1?useSSL=false";
    String username = "root";
    String password = "1234";
    Connection conn = DriverManager.getConnection(url, username, password);

    //  Receive user input   User name and password 
    String name = "sjdljfld";
    String pwd = "' or '1' = '1";
    String sql = "select * from tb_user where username = '"+name+"' and password = '"+pwd+"'";
    //  obtain stmt object 
    Statement stmt = conn.createStatement();
    //  perform sql
    ResultSet rs = stmt.executeQuery(sql);
    //  Judge whether the login is successful 
    if(rs.next()){
    
        System.out.println(" Login successful ~");
    }else{
    
        System.out.println(" Login failed ~");
    }

    //7.  Release resources 
    rs.close();
    stmt.close();
    conn.close();
}

Look at this statement ：“select * from tb_user where username = '”+name+“’ and password = '”+pwd+“'”;
Write the account password we entered into （ Random account , Passwords will be generated sql Inject ）： password = ’ ‘or’1’='1 ’ ==>
password = ’ ‘or’1’=‘1’ ; ‘’ => false or ‘1’=‘1’ really So the result is true , So even if the input is not the real password , Finally, login can be realized .

Now we use ?( Place holder ) To prevent sql Inject ：

// SQL Parameter value in statement , Use ？ Placeholder replacement 
String sql = "select * from user where username = ? and password = ?";
//  adopt Connection Object acquisition , And pass in the corresponding sql sentence 
PreparedStatement pstmt = conn.prepareStatement(sql);

We go through PrepareStatement Object's setXxx（） Method to set parameters ？ Value , as follows ：

  //  Receive user input   User name and password 
    String name = "zhangsan";
    String pwd = "' or '1' = '1";

    //  Definition sql
    String sql = "select * from tb_user where username = ? and password = ?";
    //  obtain pstmt object 
    PreparedStatement pstmt = conn.prepareStatement(sql);
    //  Set up ？ Value 
    pstmt.setString(1,name);
    pstmt.setString(2,pwd);
    //  perform sql
    ResultSet rs = pstmt.executeQuery();
    //  Judge whether the login is successful 
    if(rs.next()){
    
        System.out.println(" Login successful ~");
    }else{
    
        System.out.println(" Login failed ~");
    }

I'm curious why it doesn't happen sql Inject ？PrepareStatement How is it realized ？
PrepareStatement Is the escape of special characters , Escaped sql as follows ：

select * from tb_user where username = 'sjdljfld' and password = '\'or \'1\' = \'1'

PrepareStatement The advantages of ：
precompile SQL, Higher performance
prevent SQL Inject ： Escape sensitive characters

java The flow of code operation database is shown in the figure ：

Turn on the precompile function ：
Write... In code url The following parameters need to be added when . And we didn't turn on the precompile function before , Knowledge solves sql Inject holes

useServerPrepstmts=true

To configure MYSQL Execution log （ restart mysql Effective after service ）

• stay mysql The configuration file （my.ini） Add the following configuration

  log-output=FILE
  general-log=1
  general_log_file="D:\mysql.log"
  slow-query-log=1
  slow_query_log_file="D:\mysql_slow.log"
  long_query_time=2

Summary

• In obtaining PreparedStatement Object time , take sql The statement is sent to mysql The server checks , compile （ These steps are time-consuming ）
• You don't have to do these steps when executing , Faster
• If sql It's like a template , You only need to check once 、 compile

4, Database connection pool

• Database connection pool is a container , To be responsible for the distribution of 、 Manage database connections (Connection)

• It allows applications to reuse an existing database connection , Instead of building a new ;

• Release database connection with idle time exceeding the maximum idle time to avoid missing database connection caused by no free database connection

• benefits

• Resource reuse

• Improve system response speed

• Avoid missing database connections

Database connection pool implementation

• Standard interface ：DataSource

  official (SUN) Database connection pool standard interface provided , This interface is implemented by a third-party organization . This interface provides the function of obtaining connection ：

  Connection getConnection()
  

  Then you don't need to pass DriverManager Object acquisition Connection object , But through the connection pool （DataSource） obtain Connection object .

• Common database connection pool

  • DBCP
  • C3P0
  • Druid

  Now we use more Druid, Its performance will be better than the other two .

• Druid（ Druid ）

  • Druid Connection pool is an open source database connection pool project of Alibaba

  • Powerful , Excellent performance , yes Java One of the best database connection pools in language