第十章——JDBC
10.JDBC
10.1 数据库驱动
驱动:声卡、显卡、数据库....
我们的程序会通过数据库驱动和数据库打交道~
10.2 JDBC
SUN公司为了简化开发人员对数据库的统一操作,提供了一个(Java操作数据)的规范,俗称JDBC,这些规范的实现由具体的厂商去做!
对于开发人员来说,我们只需要掌握JDBC接口的操作即可
java.sql
javax.sql
还需要导入一个数据库驱动包 mysql-connector-java-5.1.47.jar
10.3 第一个JDBC程序
创建测试数据库
1. 创建一个普通项目
2. 导入数据库驱动
新建lib,将驱动文件粘贴进来,然后再选择 add library
3. 编写测试代码
- 加载驱动
- 用户信息和url
- 连接成功,数据库对象
- 执行SQL对象
- 执行SQL对象去执行SQL,可能存在结果,查看返回结果
- 释放连接
10.4 statement对象
Jdbc中的statement对象用于向数据库发送SQL语句,想完成对数据库的增删改查,只需要通过这个对象向数据库发送增删改查语句即可。
Statement对象的executeUpdate方法,用于向数据库发送增、删、改的sql语句,executeUpdate执行完后,将会返回一个整数(即增删改语句导致了数据库几行数据发生了变化)。
Statement.executeQuery方法用于向数据库发送查询语句,executeQuery方法返回代表查询结果的ResultSet对象。
CRUD操作-create
使用executeUpdate(String sql)方法完成数据添加操作,示例操作:
Statement statement = connection.createStatement();
String sql = "insert into user(...) values(...)";
int num = statement.executeUpdate(sql);
if (num > 0) {
System.out.println("插入成功~");
}CRUD操作-delete
Statement statement = connection.createStatement();
String sql = "delete from user where id=1";
int num = statement.executeUpdate(sql);
if (num > 0) {
System.out.println("删除成功~");
}CRUD操作-update
Statement statement = connection.createStatement();
String sql = "update user set name='' where name =''";
int num = statement.executeUpdate(sql);
if (num > 0) {
System.out.println("修改成功~");
}CRUD操作-read
Statement statement = connection.createStatement();
String sql = "SELECT * FROM users";
ResultSet resultSet = statement.executeQuery(sql);
while (resultSet.next()) {
//根据获取列的数据类型,分别调用resultSet的相应方法映射到java对象中
}代码实现
-
提取工具类
import java.io.IOException; import java.io.InputStream; import java.sql.Connection; import java.sql.DriverManager; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; import java.util.Properties; /** * @ClassName: JDBCUtils * @Description: TODO 类描述 * @Author: zyy * @Date: 2021/07/14 17:48 * @Version: 1.0 */ public class JDBCUtils { private static String driver = null; private static String url = null; private static String username = null; private static String password = null; static { try { InputStream in = JDBCUtils.class.getClassLoader().getResourceAsStream("db.properties"); Properties properties = new Properties(); properties.load(in); driver = properties.getProperty("driver"); url = properties.getProperty("url"); username = properties.getProperty("username"); password = properties.getProperty("password"); //驱动只用加载一次 Class.forName(driver); } catch (IOException e) { e.printStackTrace(); } catch (ClassNotFoundException e) { e.printStackTrace(); } } /** * 获取连接 */ public static Connection getConnection() throws SQLException { return DriverManager.getConnection(url, username, password); } /** * 释放资源 */ public static void release(Connection con, Statement st, ResultSet rs) { if (rs != null) { try { rs.close(); } catch (SQLException e) { e.printStackTrace(); } } if (st != null) { try { st.close(); } catch (SQLException e) { e.printStackTrace(); } } if (con != null) { try { con.close(); } catch (SQLException e) { e.printStackTrace(); } } } }配置文件db.properties
driver=com.mysql.jdbc.Driver url=jdbc:mysql://localhost:3306/jdbcstudy?useUnicode=true&characterEncoding=utf8&useSSL=false username=root password=123456 -
编写增删改的方法,
executeUpdate(增删改)import com.zyy.lesson02.utils.JDBCUtils; import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; /** * @ClassName: TestInsert * @Description: TODO 类描述 * @Author: zyy * @Date: 2021/07/14 18:19 * @Version: 1.0 */ public class TestInsert { public static void main(String[] args) { Connection con = null; Statement st = null; ResultSet rs = null; try { con = JDBCUtils.getConnection(); st = con.createStatement(); String sql = "INSERT INTO users(`id`,`name`,`password`,`email`,`birthday`)\n" + "VALUES (5,'钱七','123456','[email protected]','1988-12-04')"; int num = st.executeUpdate(sql); if (num > 0) { System.out.println("插入成功!"); } } catch (SQLException e) { e.printStackTrace(); } finally { JDBCUtils.release(con, st, rs); } } }import com.zyy.lesson02.utils.JDBCUtils; import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; /** * @ClassName: TestDelete * @Description: TODO 类描述 * @Author: zyy * @Date: 2021/07/14 22:11 * @Version: 1.0 */ public class TestDelete { public static void main(String[] args) { Connection con = null; Statement st = null; ResultSet rs = null; try { con = JDBCUtils.getConnection(); st = con.createStatement(); String sql = "DELETE FROM users WHERE `id`=5"; int num = st.executeUpdate(sql); if (num > 0) { System.out.println("删除成功!"); } } catch (SQLException e) { e.printStackTrace(); } finally { JDBCUtils.release(con, st, rs); } } }import com.zyy.lesson02.utils.JDBCUtils; import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; /** * @ClassName: TestUpdate * @Description: TODO 类描述 * @Author: zyy * @Date: 2021/07/14 22:11 * @Version: 1.0 */ public class TestUpdate { public static void main(String[] args) { Connection con = null; Statement st = null; ResultSet rs = null; try { con = JDBCUtils.getConnection(); st = con.createStatement(); String sql = "UPDATE users SET birthday='1990-12-01' WHERE id=1"; int num = st.executeUpdate(sql); if (num > 0) { System.out.println("更新成功!"); } } catch (SQLException e) { e.printStackTrace(); } finally { JDBCUtils.release(con, st, rs); } } } -
查询
import com.zyy.lesson02.utils.JDBCUtils; import java.sql.Connection; import java.sql.ResultSet; import java.sql.SQLException; import java.sql.Statement; /** * @ClassName: TestSelect * @Description: TODO 类描述 * @Author: zyy * @Date: 2021/07/14 22:11 * @Version: 1.0 */ public class TestSelect { public static void main(String[] args) { Connection con = null; Statement st = null; ResultSet rs = null; try { con = JDBCUtils.getConnection(); st = con.createStatement(); String sql = "SELECT * FROM users WHERE id=1"; rs = st.executeQuery(sql); while (rs.next()) { System.out.println("id="+rs.getInt("id")); System.out.println("name="+rs.getString("name")); } } catch (SQLException e) { e.printStackTrace(); } finally { JDBCUtils.release(con, st, rs); } } }
10.5 SQl注入
sql存在漏洞,会被攻击导致数据泄露 。SQL会被拼接
import com.zyy.lesson02.utils.JDBCUtils;
import java.sql.Connection;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
/**
* @ClassName: SQLQuestion
* @Description: TODO 类描述
* @Author: zyy
* @Date: 2021/07/14 22:23
* @Version: 1.0
*/
public class SQLQuestion {
public static void main(String[] args) {
//正常登录
// login("张三","1234567");
//sql注入
login("' or '1=1","123456");
}
/**
* 登录业务
*/
public static void login(String userName, String password) {
Connection con = null;
Statement st = null;
ResultSet rs = null;
try {
con = JDBCUtils.getConnection();
st = con.createStatement();
String sql = "SELECT * FROM users WHERE `name`='"+userName+"' AND `password`='"+password+"'";
// SELECT * FROM users WHERE `name`='' or '1=1' AND `password`='123456'
System.out.println(sql);
rs = st.executeQuery(sql);
while (rs.next()) {
System.out.println("id="+rs.getInt("id"));
System.out.println("name="+rs.getString("name"));
}
} catch (SQLException e) {
e.printStackTrace();
} finally {
JDBCUtils.release(con, st, rs);
}
}
}导致结果:错误的用户名或者密码可以获取到全部的用户信息
10.6 PreparedStatement对象
PreparedStatement可以防止SQL注入,效率更好
-
新增
import com.zyy.lesson02.utils.JDBCUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
/**
* @ClassName: TestInsert
* @Description: TODO 类描述
* @Author: zyy
* @Date: 2021/07/14 18:19
* @Version: 1.0
*/
public class TestInsert {
public static void main(String[] args) {
Connection con = null;
PreparedStatement st = null;
ResultSet rs = null;
try {
con = JDBCUtils.getConnection();
//使用?占位符代替参数
String sql = "INSERT INTO users(`id`,`name`,`password`,`email`,`birthday`) VALUES (?,?,?,?,?)";
//预编译SQL,先写SQL,然后不执行
st = con.prepareStatement(sql);
//手动给参数赋值
st.setInt(1, 5);
st.setString(2, "钱七");
st.setString(3, "123456");
st.setString(4, "[email protected]");
st.setDate(5, new java.sql.Date(new java.util.Date().getTime()));
int num = st.executeUpdate();
if (num > 0) {
System.out.println("插入成功!");
}
} catch (SQLException e) {
e.printStackTrace();
} finally {
JDBCUtils.release(con, st, rs);
}
}
}- 删除
import com.zyy.lesson02.utils.JDBCUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
/**
* @ClassName: TestDelete
* @Description: TODO 类描述
* @Author: zyy
* @Date: 2021/07/14 18:19
* @Version: 1.0
*/
public class TestDelete {
public static void main(String[] args) {
Connection con = null;
PreparedStatement st = null;
ResultSet rs = null;
try {
con = JDBCUtils.getConnection();
//使用?占位符代替参数
String sql = "DELETE FROM users WHERE `id`=?";
//预编译SQL,先写SQL,然后不执行
st = con.prepareStatement(sql);
//手动给参数赋值
st.setInt(1, 5);
int num = st.executeUpdate();
if (num > 0) {
System.out.println("删除成功!");
}
} catch (SQLException e) {
e.printStackTrace();
} finally {
JDBCUtils.release(con, st, rs);
}
}
}- 更新
import com.zyy.lesson02.utils.JDBCUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
/**
* @ClassName: TestUpdate
* @Description: TODO 类描述
* @Author: zyy
* @Date: 2021/07/14 18:19
* @Version: 1.0
*/
public class TestUpdate {
public static void main(String[] args) {
Connection con = null;
PreparedStatement st = null;
ResultSet rs = null;
try {
con = JDBCUtils.getConnection();
//使用?占位符代替参数
String sql = "UPDATE users SET birthday=? WHERE id=?";
//预编译SQL,先写SQL,然后不执行
st = con.prepareStatement(sql);
//手动给参数赋值
st.setDate(1, new java.sql.Date(new java.util.Date().getTime()));
st.setInt(2, 1);
int num = st.executeUpdate();
if (num > 0) {
System.out.println("修改成功!");
}
} catch (SQLException e) {
e.printStackTrace();
} finally {
JDBCUtils.release(con, st, rs);
}
}
}- 查询
import com.zyy.lesson02.utils.JDBCUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
/**
* @ClassName: TestSelect
* @Description: TODO 类描述
* @Author: zyy
* @Date: 2021/07/14 18:19
* @Version: 1.0
*/
public class TestSelect {
public static void main(String[] args) {
Connection con = null;
PreparedStatement st = null;
ResultSet rs = null;
try {
con = JDBCUtils.getConnection();
//使用?占位符代替参数
String sql = "SELECT * FROM users WHERE id=?";
//预编译SQL,先写SQL,然后不执行
st = con.prepareStatement(sql);
//手动给参数赋值
st.setInt(1, 1);
rs = st.executeQuery();
while (rs.next()) {
System.out.println("id="+rs.getInt("id"));
System.out.println("name="+rs.getString("name"));
}
} catch (SQLException e) {
e.printStackTrace();
} finally {
JDBCUtils.release(con, st, rs);
}
}
}- 防止sql注入
import com.zyy.lesson02.utils.JDBCUtils;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
/**
* @ClassName: SQLQuestion
* @Description: TODO 类描述
* @Author: zyy
* @Date: 2021/07/14 18:19
* @Version: 1.0
*/
public class SQLQuestion {
public static void main(String[] args) {
//正常登录
// login("张三","123456");
//sql注入
login("' or '1=1", "123456");
}
/**
* 登录业务
*/
public static void login(String userName, String password) {
Connection con = null;
PreparedStatement st = null;
ResultSet rs = null;
try {
con = JDBCUtils.getConnection();
// PreparedStatement 防止SQL注入的本质,把传递进来的参数当做字符
// 假设其中存在转义字符,比如说'会被直接转义
String sql = "SELECT * FROM users WHERE `name`=? AND `password`=?";
st = con.prepareStatement(sql);
st.setString(1, userName);
st.setString(2, password);
rs = st.executeQuery();
while (rs.next()) {
System.out.println("id=" + rs.getInt("id"));
System.out.println("name=" + rs.getString("name"));
}
} catch (SQLException e) {
e.printStackTrace();
} finally {
JDBCUtils.release(con, st, rs);
}
}
}执行结果:查不到任何结果