oracle（sql注入）

拼sql语句的问题？ 会因他人sql注入，而丧失数据

sql注入:
因为sql语句是字符串拼接而成的
sql语句 建议使用PreparedStatement

insert：
public static void main(String[] args) throws ClassNotFoundException, SQLException {

Class.forName("oracle.jdbc.OracleDriver");//加载类到jvm
Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:ORCL", "scott", "123456");//获取数据库连接
PreparedStatement pst = conn.prepareStatement("insert into myemp values(?,?,?,?,?,?,?,?)");
pst.setInt(1, 3212);
pst.setString(2, "小明");
pst.setString(3, "打酱油");
pst.setInt(4, 5423);
//string---->java.util.Date------>java.sql.Date
Date date = new Date();
java.sql.Date d= new java.sql.Date(date.getTime());
pst.setDate(5, d);
pst.setInt(6,5444);
pst.setInt(7,324);
pst.setInt(8,10);
//必须有
pst.executeUpdate();//更新数据

System.out.println("OK!!"+conn);
//关闭资源

pst.close();
conn.close();//必须关
}

}

select:
public static void main(String[] args) throws ClassNotFoundException, SQLException {

Class.forName("oracle.jdbc.OracleDriver");//加载类到jvm
Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:ORCL", "scott", "123456");//获取数据库连接
PreparedStatement pst = conn.prepareStatement("select * from  myemp ");
ResultSet rs = pst.executeQuery();
while(rs.next())
{
int empno = rs.getInt("empno");
String ename =rs.getString("ename");
String job = rs.getString("job");
int mgr = rs.getInt("mgr");
Date date = rs.getDate("hiredate");
System.out.println(date);
int sal = rs.getInt("sal");
int comm = rs.getInt("comm");
int deptno = rs.getInt("deptno");

}

System.out.println("OK!!"+conn);
//关闭资源

pst.close();
conn.close();//必须关
}

}

delete:
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Date;
import java.util.Scanner;

public class Test08_delete2 {

public static void main(String[] args) throws ClassNotFoundException, SQLException {
Scanner sc = new Scanner(System.in);
System.out.println("input");
int deptno = sc.nextInt();
int sal=sc.nextInt();

Class.forName("oracle.jdbc.OracleDriver");//加载类到jvm
Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:ORCL", "scott", "123456");//获取数据库连接
//PreparedStatement pst = conn.prepareStatement("delete from myemp where deptno =" + deptno + "and sal = " + sal );
PreparedStatement pst = conn.prepareStatement("delete from myemp where deptno = ? and sal=?");
pst.setInt(1, deptno);
pst.setInt(2,sal);
int x = pst.executeUpdate();
System.out.println("OK!!"+conn);
//关闭资源

pst.close();
conn.close();//必须关
}

}

update:
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.Date;
import java.util.Scanner;

public class Test09_update2 {
/**
select select * from emp
update update myemp set sal = sal+? where deptno = ?
delete delete myemp where deptno = ? and sal = ?

• @throws ClassNotFoundException
• @throws SQLException

*/
public static void main(String[] args) throws ClassNotFoundException, SQLException {
Scanner sc = new Scanner(System.in);
System.out.println(“input:”);
int s = sc.nextInt();
int deptno = sc.nextInt();

Class.forName("oracle.jdbc.OracleDriver");//加载类到jvm
Connection conn = DriverManager.getConnection("jdbc:oracle:thin:@localhost:1521:ORCL", "scott", "123456");//获取数据库连接
//PreparedStatement pst = conn.prepareStatement("update myemp set sal = sal+" + s + "where deptno =" + deptno);
PreparedStatement pst = conn.prepareStatement("update myemp set sal = sal + ?  where deptno = deptno");
pst.setInt(1, s);
pst.setInt(2, deptno);
int rs = pst.executeUpdate();
System.out.println("OK!!"+conn);
//关闭资源

pst.close();
conn.close();//必须关
}

}