sql注入的问题，PreparedStatement

package cn.itcast.jdbc;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class SQLInject {

public static void main(String[] args) throws SQLException {
read("lisi");
System.out.println("-----------------------");
read("'or 1 or'"); // sql注入，or是sql关键字，1表示真，会查询出全部结果
}

static void read(String name) throws SQLException {
Connection conn = null;
Statement st = null;
ResultSet rs = null;

try {
conn = JdbcUtils.getConnection();

st = conn.createStatement();

String sql = "select id,name,birthday,money from user where name='"
+ name + "'";

rs = st.executeQuery(sql);

while (rs.next()) {
System.out.println("id:" + rs.getObject("id") + "\tname:"
+ rs.getObject("name") + "\tbirthday:"
+ rs.getObject("birthday") + "\tmoney:"
+ rs.getObject("money"));
}

} finally {
JdbcUtils.free(rs, st, conn);
}
}
}

PreparedStatement

package cn.itcast.jdbc;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class SQLInject {

public static void main(String[] args) throws SQLException {
read("lisi");
System.out.println("-----------------------");
read("'or 1 or'"); //现在这个查询不到结果
}

static void read(String name) throws SQLException {
Connection conn = null;
PreparedStatement ps = null;    //预处理的查询语句,过滤掉特殊字符，避免sql注入；PreparedStatement速度比Statement更快一些
ResultSet rs = null;

try {
conn = JdbcUtils.getConnection();

String sql = "select id,name,birthday,money from user where name=?";
ps = conn.prepareStatement(sql);
ps.setString(1, name);

rs = ps.executeQuery();

while (rs.next()) {
System.out.println("id:" + rs.getObject("id") + "\tname:"
+ rs.getObject("name") + "\tbirthday:"
+ rs.getObject("birthday") + "\tmoney:"
+ rs.getObject("money"));
}

} finally {
JdbcUtils.free(rs, ps, conn);
}
}
}