JDBC初体验（二）-编程知识

一、SQL注入

1.1 SQL注入原理

利用现有应用程序，将（恶意的）SQL命令注入到后台数据库引擎执行的能力，它可以通过在web表单中输入（恶意的）SQL语句得到一个存在安全漏洞的网站上的数据库，而不是按照设计者意图去执行SQL语句

1.2 防止SQL注入的方法

过滤用户输入的数据中是否包含非法字符
分步校验，先使用用户名来查询用户，如果查到了，再比较密码
使用PreparedStatement接口

二、PreparedStatement接口

PreparedStatement接口是Statement的子接口，可以使用该接口来替换Statement接口

PreparedStatement的使用

使用Connection对象的preparedStatement(String sql):即创建它时就让它与一条SQL语句绑定
编写SQL语句时，如果存在参数，就是用？作为数据占位符
调用PreparedStatement的setXXX()系列方法为占位符设置值，索引从1开始
调用executeUpdated()或executeQuery()方法，但要注意，要调用没有参数的方法

三、增、删、改、查操作代码演示

3.1 User类

package day02.pojo;/*** @desc:User类*/public class User {private int id;private String userName;private String userPass;private int role;public User(int id, String userName, String userPass, int role) {this.id = id;this.userName = userName;this.userPass = userPass;this.role = role;}public User() {}public int getId() {return id;}public void setId(int id) {this.id = id;}public String getUserName() {return userName;}public void setUserName(String userName) {this.userName = userName;}public String getUserPass() {return userPass;}public void setUserPass(String userPass) {this.userPass = userPass;}public int getRole() {return role;}public void setRole(int role) {this.role = role;}@Overridepublic String toString() {return "User{" +"id=" + id +", userName='" + userName + '\'' +", userPass='" + userPass + '\'' +", role=" + role +'}';}
}

3.2 JDBC/增删改查类

package day02.IncreaseDeleteChangeQuery;import day02.pojo.User;import java.sql.*;/*** @desc:JDBC类、增删改查类*/public class UserDao {Connection connection =null;Statement statement =null;PreparedStatement ps = null;ResultSet resultSet =null;/*** 用户登录* @param userName 用户名* @param userPass 用户密码* @return User*/public User toLogin(String userName,String userPass){//1.获取连接对象getConnection();//2.编写SQL语句String sql = "select ID,USERNAME,ROLE from user where userName = ? and userPass = ?";System.out.println("要执行的SQL语句是：" + sql);//3.创建statement对象User user = null;try {// 创建PreparedStatement对象 发送SQL语句并预执行ps = connection.prepareStatement(sql);//3.1处理参数ps.setString(1,userName);ps.setString(2,userPass);//4.执行并解析结果resultSet = ps.executeQuery();while (resultSet.next()){user = new User();user.setId(resultSet.getInt(1));user.setUserName(resultSet.getString(2));user.setRole(resultSet.getInt(3));}} catch (SQLException e) {e.printStackTrace();}finally {closeResource();}return user;}/*** 增删改查——查*/public User login(String userName,String userPass){//1.获取连接对象getConnection();//2.编写SQL语句String sql = "select ID,USERNAME,ROLE from user where userName = '"+userName+"' and userPass = '"+userPass+"'";System.out.println("要执行的SQL语句是：" + sql);//3.创建statement对象User user = null;try {statement = connection.createStatement();resultSet = statement.executeQuery(sql);//4.解析结果while (resultSet.next()){user = new User();user.setId(resultSet.getInt(1));user.setUserName(resultSet.getString(2));user.setRole(resultSet.getInt(3));}} catch (SQLException e) {e.printStackTrace();}finally {closeResource();}return user;}public User login2(String userName,String userPass){//1.获取连接对象getConnection();//2.编写SQL语句String sql = "select ID,USERNAME,USERPASS,ROLE from user where userName = '"+userName+"'";System.out.println("要执行的SQL语句是：" + sql);//3.创建statement对象User user = null;try {statement = connection.createStatement();resultSet = statement.executeQuery(sql);//4.解析结果while (resultSet.next()){user = new User();user.setId(resultSet.getInt(1));user.setUserName(resultSet.getString(2));user.setUserPass(resultSet.getString(3));user.setRole(resultSet.getInt(4));}if(userPass.equals(user.getUserPass())){return user;}} catch (SQLException e) {e.printStackTrace();}finally {closeResource();}return null;}/*** 增删改查——增*/public int saveUser(User user) {int line = 0;//1、获取连接对象getConnection();//2、编写SQL语句String sql = "insert into user values(default,?,?,?)";try {ps = connection.prepareStatement(sql);ps.setString(1, user.getUserName());ps.setString(2,user.getUserPass());ps.setInt(3,user.getRole());//3、执行     增删改的执行方法是excuteUpdate()//返回一个整数，表示受影响的行数line = ps.executeUpdate();} catch (SQLException e) {e.printStackTrace();} finally {closeResource();}return line;}/*** 增删改查——改*/public int updateUser(User user) {int line = 0;//1、获取连接对象getConnection();//2、编写SQL语句String sql = "update user set USERNAME=?,USERPASS=?,ROLE=? where ID=?";try {ps = connection.prepareStatement(sql);ps.setString(1, user.getUserName());ps.setString(2,user.getUserPass());ps.setInt(3,user.getRole());ps.setInt(4,user.getId());//3、执行     增删改的执行方法是excuteUpdate()//返回一个整数，表示受影响的行数line = ps.executeUpdate();} catch (SQLException e) {e.printStackTrace();} finally {closeResource();}return line;}/*** 增删改查——删*/public  int deleteUser(int id) {int line = 0;//1、获取连接对象getConnection();//2、编写SQL语句String sql = "delete from user where id = ?";try {ps = connection.prepareStatement(sql);ps.setInt(1,id);//3、执行     增删改的执行方法是excuteUpdate()//返回一个整数，表示受影响的行数line = ps.executeUpdate();} catch (SQLException e) {e.printStackTrace();} finally {closeResource();}return line;}//↓↓↓以下两部分代码是固定的，不需要改动，所以封装起来/*** 加载驱动和建立连接*/public Connection getConnection(){try {//1.加载驱动Class.forName("com.mysql.jdbc.Driver");//2.建立连接connection = DriverManager.getConnection("jdbc:mysql://localhost:3306/myschool?useSSL=false","root","zkz2002513>");} catch (ClassNotFoundException e) {e.printStackTrace();} catch (SQLException e) {e.printStackTrace();}return connection;}/*** 关闭资源*/public void closeResource(){if(resultSet!=null){try {resultSet.close();} catch (SQLException e) {e.printStackTrace();}}if(ps!=null){try {ps.close();} catch (SQLException e) {e.printStackTrace();}}if(statement!=null){try {statement.close();} catch (SQLException e) {e.printStackTrace();}}if(connection!=null){try {connection.close();} catch (SQLException e) {e.printStackTrace();}}}}

3.3 增删改查——增

package day02.IncreaseDeleteChangeQuery;import day02.pojo.User;/*** @desc:增删改查操作——增加main方法*/public class IncreaseMain {public static void main(String[] args) {UserDao userDao = new UserDao();User user = new User();user.setUserName("诸葛亮");user.setUserPass("9087666");user.setRole(3);int line = userDao.saveUser(user);System.out.println(line > 0 ? "添加成功": "添加失败");}
}

3.4 增删改查——删

package day02.IncreaseDeleteChangeQuery;/*** @desc:增删改查操作——删除main方法*/public class DeleteMain {public static void main(String[] args) {UserDao userDao = new UserDao();int line = userDao.deleteUser(11);System.out.println(line > 0 ? "删除成功": "删除失败");}
}

3.5 增删改查——改

package day02.IncreaseDeleteChangeQuery;import day02.pojo.User;import java.util.Scanner;/*** @desc:增删改查操作——改main方法*/public class ChangeMain {public static void main(String[] args) {
/*        Scanner sc = new Scanner(System.in);System.out.println("请输入要修改的用户id：");int id = sc.nextInt();System.out.println("请输入要修改的用户名：");String username = sc.next();System.out.println("请输入新的的密码：");String password = sc.next();System.out.println("请输入角色类型：");int role = sc.nextInt();User user = new User(id, username, password, role);UserDao userDao = new UserDao();*/UserDao userDao = new UserDao();User user = new User(8,"赵云","24678",2);int line = userDao.updateUser(user);System.out.println(line > 0 ? "修改成功" : "修改失败");}
}

3.6 增删改查——查

package day02.IncreaseDeleteChangeQuery;import day02.pojo.User;import java.util.Scanner;/*** @desc:增删改查操作——查询main方法*/public class QueryMain {public static void main(String[] args) {Scanner sc = new Scanner(System.in);UserDao userDao = new UserDao();System.out.println("****************************************");System.out.println("\t\t\t\t\t用户管理系统");System.out.println("****************************************");System.out.print("请输入用户名：");String userName = sc.next();System.out.print("请输入密码：");String userPass = sc.next();User user = userDao.toLogin(userName,userPass);if (user == null) {System.out.println("登录失败，用户名或密码错误！");} else {System.out.println("登录成功，欢迎【" + user.getUserName() + "】！");}}
}