java 防止sql注入的简单方法

package test;

import java.sql.Connection;

import java.sql.PreparedStatement;

import java.sql.ResultSet;

import utils.DBUtils;

public class TestEmp {

public static void main(String[] args) throws Exception {

Connection con = DBUtils.getConnection();

              // 防止sql注入

PreparedStatement stmt = con.prepareStatement("select * from emp "

+ "where (1=? or ename=?) and (1=? or job=?)");

stmt.setInt(1, 1);////1=1  无论ename输入为何值  第一个表达式值为1   就可以设置ename值无效

stmt.setString(2, "ABC");

stmt.setInt(3, 0);//设置job值有效

stmt.setString(4, "CLERK");

//A or true = true   A or false = A A and false = false A and true = A

ResultSet rs = stmt.executeQuery();

while (rs.next()) {

System.out.println(rs.getString(1) + "," + rs.getString(2) + ","

+ rs.getString(3));

}

con.close();

}

}