当前位置：网站首页>API supplement of JDBC

API supplement of JDBC

2022-07-25 10:54:00 【Hua Weiyun】

Four 、ResultSet

ResultSet( Result set object ) effect ：

1. Encapsulates the DQL The result of the query statement

ResultSet stmt.executeQuery(sql): perform DQL sentence , return ResultSet object

Get query results

boolean next():（1） Move the cursor forward one line from the current position （2） Judge whether the current line is a valid line
Return value ： The current row has data returned true, There is currently no data returned false.

xxx getXxx( Parameters )： get data

explain ：xxx Represents the data type ; Such as int getInt( Parameters );String getString( Parameters );
Parameters ： about int Is the number of the column , from 1 Start , about String Is the name of the column .

Use steps ：

1、 Move the cursor down one line , And judge whether the line has data ：next()

2、 get data ：getXxx( Parameters )

Example ：

while(rs.next()){    rs.getXxx( Parameters );}

example ：

package com.jdbc;import com.mysql.jdbc.Connection;import java.sql.DriverManager;import java.sql.ResultSet;import java.sql.Statement;public class JDBCDemo3_ResultSet {    public static void main(String[] args) throws Exception {        //1、 Registration drive         Class.forName("com.mysql.jdbc.Driver");       //2、 Get the connection          //url The format is ："jdbc:mysql://mysql Of ip: Port number / Operational database "        String url="jdbc:mysql://127.0.0.1:3306/kc_db01";        //username Is your mysql user name         String username="root";        //password Is your mysql password         String password="123456";        Connection conn= (Connection) DriverManager.getConnection(url, username, password);        //3、 Definition sql        String sql="select *from emp";        //4、 Access to perform sql Of Statement object         Statement stmt=conn.createStatement();        //5、 perform sql sentence         ResultSet rs=stmt.executeQuery(sql);        //6 Processing results       while(rs.next()){          // get data  getXxx(); You can write the line in parentheses , You can also write column names           int id=rs.getInt(1);          String ename=rs.getString(2);          int salary=rs.getInt(3);          // Another way of writing ： Write the name of the line //          int id=rs.getInt("id");//          String ename=rs.getString("ename");//          int salary=rs.getInt("salary");          System.out.println(id);          System.out.println(ename);          System.out.println(salary);          System.out.println("-----------");      }        //7、 Release resources ( Open first and then release )        rs.close();        stmt.close();        conn.close();    }}

In the database emp surface

edit

After running ：

edit

ResultSet Case study

demand ： Inquire about account Account data , Encapsulated in the Account In the object , And store it in ArrayList Collection

edit

Create a pojo package , Used to store objects .

edit

Created a class , Provide getSet Method

package com.pojo;public class Account {    private int id;    private String ename;    private int salary;    public int getId() {        return id;    }    public void setId(int id) {        this.id = id;    }    public String getEname() {        return ename;    }    public void setEname(String ename) {        this.ename = ename;    }    public int getSalary() {        return salary;    }    public void setSalary(int salary) {        this.salary = salary;    }    // In order to better show , rewrite toString() Method     @Override    public String toString() {        return "Account{" +                "id=" + id +                ", ename='" + ename + '\'' +                ", salary=" + salary +                '}'+"\n";    }}

jdbc In the class created under the package

package com.jdbc;import com.mysql.jdbc.Connection;import com.pojo.Account;import java.sql.DriverManager;import java.sql.ResultSet;import java.sql.Statement;import java.util.ArrayList;import java.util.List;public class JDBCDemo4_ResultSet {    public static void main(String[] args) throws Exception {        //1、 Registration drive         Class.forName("com.mysql.jdbc.Driver");       //2、 Get the connection          //url The format is ："jdbc:mysql://mysql Of ip: Port number / Operational database "        String url="jdbc:mysql://127.0.0.1:3306/kc_db01";        //username Is your mysql user name         String username="root";        //password Is your mysql password         String password="123456";        Connection conn= (Connection) DriverManager.getConnection(url, username, password);        //3、 Definition sql        String sql="select *from emp";        //4、 Access to perform sql Of Statement object         Statement stmt=conn.createStatement();        //5、 perform sql sentence         ResultSet rs=stmt.executeQuery(sql);        //6 Processing results         // Create a collection object         List<Account> list=new ArrayList<>();      while(rs.next()){          // establish Account object           Account account=new Account();          // get data  getXxx(); You can write the line in parentheses , You can also write column names           int id=rs.getInt(1);          String ename=rs.getString(2);          int salary=rs.getInt(3);          // Assignment data           account.setId(id);          account.setEname(ename);          account.setSalary(salary);          list.add(account);      }        System.out.println(list);        //7、 Release resources ( Open first and then release )        rs.close();        stmt.close();        conn.close();    }}

Running results ：

edit

5、 ... and 、PreparedStatement

PreparedStatement effect ：

1、 precompile SQL Statement and execute ： The prevention of SQL Injection problem

SQL Inject

SQL Injection is to modify pre-defined by operating input SQL sentence , The method used to execute code to attack the server .

Demonstrate normal login ：

First, data record kc_db1 Under the emp The table is ：

edit

package com.jdbc;import com.mysql.jdbc.Connection;import java.sql.DriverManager;import java.sql.ResultSet;import java.sql.Statement;public class JDBCDemo5_UserLogin {    public static void main(String[] args) throws Exception {       //2、 Get the connection          //url The format is ："jdbc:mysql://mysql Of ip: Port number / Operational database "        String url="jdbc:mysql://127.0.0.1:3306/kc_db01";        //username Is your mysql user name         String username="root";        //password Is your mysql password         String password="123456";        Connection conn= (Connection) DriverManager.getConnection(url, username, password);           String name="zhangsan";           String pwd="1233";        //3、 Definition sql        String sql="select *from emp where ename='"+name+"'and password='"+pwd+"'" ;        System.out.println(" This article SQL The sentence is :"+sql);        //4、 Access to perform sql Of Statement object         Statement stat=conn.createStatement();        //5、 perform sql sentence         ResultSet rs = stat.executeQuery(sql);        //6 Processing results ,rs A value indicates that the search is successful       if(rs.next()){          System.out.println(" Login successful ");      }else{          System.out.println(" Login failed ");      }        //7、 Release resources ( Open first and then release )        rs.close();        stat.close();        conn.close();    }}

Running results ：

edit

Enter other ( The reason for the failure is that there is no account with this password in the database )：

edit

sql Inject Demo ：

For this article sql It's not about passwords , Any account number

 String name=" A casual name "; String pwd=" ' or '1'='1";

Running results ： edit

This article SQL The sentence is :select *from emp where ename=' A casual name 'and password=' ' or '1'='1'

sql The essence of injection is to change the original SQL sentence , Join in or after 1=1 Always true , So this sentence is true

PreparedStatement solve SQL Inject

① obtain PreparedStatement object

//sql Parameters in statement , Use ？ Instead of String sql="select *from user where username=? and password=?";// adopt Connection Object acquisition , And pass in the corresponding sql sentence PreparedStatement  pstmt=conn.prepareStatement(sql);

② Set parameters

PreparedStatement object ：setXxx( Parameters 1, Parameters 2)： Expressed as a parameter 1(? The location of ) Assign value to parameter 2
Xxx： data type ; arbitrarily setInt( Parameters 1, Parameters 2)
Parameters ：
Parameters 1： Express ？ Location number of , from 1 Start
Parameters 2：？ Value

③ perform sql

executeUpdate();/excuteQuery(); There is no need to pass... In parentheses sql.

Create a class ：

package com.jdbc;import com.mysql.jdbc.Connection;import java.sql.DriverManager;import java.sql.PreparedStatement;import java.sql.ResultSet;import java.sql.Statement;import java.util.Scanner;public class JDBCDemo5_UserLogin {    public static void main(String[] args) throws Exception {       //2、 Get the connection          //url The format is ："jdbc:mysql://mysql Of ip: Port number / Operational database "        String url="jdbc:mysql://127.0.0.1:3306/kc_db01";        //username Is your mysql user name         String username="root";        //password Is your mysql password         String password="123456";        Connection conn= (Connection) DriverManager.getConnection(url, username, password);           String name=" A casual name ";           String pwd=" ' or '1'='1";        //3、 Definition sql        String sql="select *from emp where ename=? and password=?" ;        //4、 Acquired PreparedStatement object         PreparedStatement pstmt = conn.prepareStatement(sql);        // Set parameters         pstmt.setString(1, name);        pstmt.setString(2, pwd);        //5、 perform sql sentence         ResultSet rs =pstmt.executeQuery();        System.out.println(" This article SQL The sentence is :"+sql);        //6 Processing results ,rs A value indicates that the search is successful       if(rs.next()){          System.out.println(" Login successful ");      }else{          System.out.println(" Login failed ");      }        //7、 Release resources ( Open first and then release )        rs.close();       pstmt.close();        conn.close();    }}

Running results ：

edit

This prevents sql Inject ,setXxx The parameters passed in will be escaped , Not spliced into strings, but \' or\ ' 1\' = \' 1\'

Enter the correct ：

edit

PrepareStatement principle

PrepareStatement benefits ：

1、 precompile SQL, Higher performance
2、 prevent sql Inject .

my.ini The configuration file can see the log

log-output=FILE general-log=1general_log_file="D:\mysql.log" slow-query-log=1slow_query_log_file="D:\mysql_slow.log" long_query_time=2

The precompile function is off by default

①：PreparedStatement Precompile function Turn on ：userServerPrepStmts=true

stay sql sentence ? Then write the parameters

        String url="jdbc:mysql://127.0.0.1:3306/kc_db01"?userServerPrepStmts=true;

When you open it, you will prepare precompile ：

edit

After closing, there is no Prepare Stage

edit

原网站

版权声明
本文为[Hua Weiyun]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/206/202207251005548397.html

当前位置：网站首页>API supplement of JDBC

API supplement of JDBC

Four 、ResultSet

ResultSet Case study

5、 ... and 、PreparedStatement

PreparedStatement effect ：

SQL Inject

Demonstrate normal login ：

sql Inject Demo ：

PreparedStatement solve SQL Inject

PrepareStatement principle

边栏推荐

猜你喜欢

随机推荐