jdbc預編譯可以有兩種方式:
方式一、jdbc自己實現的預編譯,就是做一下特殊字符處理來防SQL注入,看PreparedStatement源碼就可以了。
public static void main(String[] args) {
try {
final String driverClassName = "com.mysql.jdbc.Driver";
final String url = "jdbc:mysql://10.6.9.14:3306/SBLOG"; 重點看這里
final String username = "sdl";
final String password = "sdl";
Connection connection = DriverManager.getConnection(url2, username, password);
String sql = " SELECT *\n" +
" FROM t_web\n" +
" WHERE id = ? and name like ?";
Class.forName(driverClassName);
PreparedStatement preparedStatement = connection.prepareStatement(sql);
preparedStatement.setInt(1, 1);
preparedStatement.setString(2, "%ing%");
ResultSet rst = preparedStatement.executeQuery();
rst.next();
System.out.println(rst.getString(2));
} catch (Exception e) {
e.printStackTrace();
}
}
這里是調用MySQL時的wireshark截圖。可以看下實際上就是拼接完成的SQL發過去的。
方式二、利用MySQL的預編譯,。
public static void main(String[] args) {
try {
final String driverClassName = "com.mysql.jdbc.Driver";
final String url2 = "jdbc:mysql://10.6.8.4:3306/SBLOG?useServerPrepStmts=true"; 重點看這里增加了useServerPrepStmts=true
final String username = "sdl";
final String password = "sdl";
Connection connection = DriverManager.getConnection(url2, username, password);
String sql = " SELECT *\n" +
" FROM t_web\n" +
" WHERE id = ? and name like ?";
Class.forName(driverClassName);
PreparedStatement preparedStatement = connection.prepareStatement(sql);
preparedStatement.setInt(1, 1);
preparedStatement.setString(2, "%ing%");
ResultSet rst = preparedStatement.executeQuery();
rst.next();
System.out.println(rst.getString(2));
} catch (Exception e) {
e.printStackTrace();
}
}
這里是調用MySQL時的wireshark截圖。可以看下實際上參數是用的占位符?。
mybatis這種框架也是一樣。關鍵看你的jdbc url怎么配置的,和框架沒關系。