使用PreparedStatement的好处:
*可读性和维护性强
1、不再使用+拼接sql语句,减少语法错误,语义性强
2、将模板sql(固定的部分)和参数部分进行了分离,提高维护性
3、有效的解决了sql注入问题!
*效率高
4、大大减少了编译次数,效率较高
//statement
//where子句后的字符串条件一定要加引号
String sql = "select count(*) from admin where username = '" + username + "' and password = '" + pwd+"'";
//System.out.println(sql);
Statement statement=connection.createStatement();
ResultSet set = statement.executeQuery(sql);
//PreparedStatement
//3-1 编写sql
String sql = "select count(*) from admin where username = ? and password = ?";
//3-1 获取PreparedStatement命令对象
PreparedStatement statement = connection.prepareStatement(sql);
//预编译
//3-2 设置占位符的值
statement.setString(1, username);
statement.setString(2, pwd);
//3-3 执行sql命令
ResultSet set = statement.executeQuery();