PHP中文网2017-04-18 09:25:18
The usage process of PrepareStatement is as follows:
Use placeholder SQL instantiation
Call the bindXX method to complete parameter binding
Call the executeUpdate or executeQuery method. No parameters are passed here, because the parameters are processed in steps 1 and 2
巴扎黑2017-04-18 09:25:18
You have already passed the sql to pst above. Why do you need to pass it to executQuery?
怪我咯2017-04-18 09:25:18
In your psr.executeQuery(sql), you have already passed the parameters to get the result set. There is no need to pass the parameters anymore,
巴扎黑2017-04-18 09:25:18
PreparedStatement class is used to prepare sql statements.
For example:
`ResultSet rs = null;
PreparedStatement loginStatement =
sqlDAO.sqlConnection().prepareStatement("SELECT username,password FROM user_table WHERE username = ? AND password = ?");
loginStatement.setString(1, username);
loginStatement.setString(2, password);
rs = loginStatement.executeQuery();`
? Representing placeholders, we can use methods such as setString(int, String) to set values for placeholders. The int parameter is the placeholder number (note that it does not start from 0, it is the mathematical number). The second parameter indicates that we are going to replace the corresponding placeholder (?) with the value. Doing this will prevent our database from being sql injected. It is worth noting that the sql statement keyword cannot be replaced by a placeholder , because the placeholder will automatically wrap the string we specify in single quotes, causing the sql statement to fail to execute. Check out the mobile phone code