PreparedStatement
Statement 需要进行字符串拼接,可读性和维护性比较差
PreparedStatement 使用参数设置,可读性好,不易犯错
String sql = "insert into hero values(null,"+"'提莫'"+","+313.0f+","+50+")";
String sql = "insert into hero values(null,?,?,?)";
PreparedStatement ps = c.prepareStatement(sql);
ps.setString(1, "提莫"); ps.setFloat(2, 313.0f); ps.setInt(3, 50); ps.execute();PreparedStatement有预编译机制,性能比Statement更快
PreparedStatement可以防止SQL注入式攻击
浙公网安备 33010602011771号