如何使用准备好的声明 | 如何使用准备好的声明

本文介绍了如何使用准备好的声明的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

有人建议使用预备声明，但我不知道如何使用它。我在代码中需要做哪些更改？

Someone has suggested to use prepared statement but I don't know how to use it. What changes do I have to do in my code?

try
{
    Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
    System.out.println("\n Driver loaded");

    Connection con = DriverManager.getConnection("jdbc:odbc:wanisamajDB");

    Statement stmt = con.createStatement();
    System.out.println("statement is created");

    // System.out.println(Integer.parseInt(cbregn.getSelectedItem().toString()));

    String qry = " UPDATE Registration1 SET RegistrationNo = '"+cbregn.getSelectedItem()+"',SeniorPerson = '"+cbnm.getSelectedItem()+"', NativePlace = '"+tfplace.getText()+"',Kul = '"+tfkul.getText()+"', Gotra = '"+tfgotra.getText()+"' ,KulSwami = '"+tfswami.getText()+"', ResidensialAddress = '"+taraddr.getText()+"' , PinCode = '"+tfpcd.getText()+"', STDcode = '"+tfstdcode.getText()+"',TelephoneNo = '"+tftele.getText()+"', MobileNo = '"+tfmno.getText()+"', Email = '"+tfemail.getText()+"',Website ='"+tfweb.getText()+"',Education ='"+tfedu.getText()+"',Branch ='"+tfbrch.getText()+"',BloodGroup ='"+cbbldgrp.getSelectedItem()+"' where SeniorPerson='" +cbnm.getSelectedItem().toString()+"'" ;

          stmt.executeUpdate(qry);

          JOptionPane.showMessageDialog(null,"RECORD IS UPDATED SUCCESSFULLY ");
          System.out.println("QUERY");

          // cbregn.setEditable(false);
          cbnm.setEditable(false);
          tfplace.setEditable(false);
          tfkul.setEditable(false);
          tfgotra.setEditable(false);
          tfswami.setEditable(false);
          taraddr.setEditable(false);
          tfpcd.setEditable(false);
          tfstdcode.setEditable(false);
          tftele.setEditable(false);
          tfmno.setEditable(false);
          tfemail.setEditable(false);
          tfweb.setEditable(false);
          tfedu.setEditable(false);
          tfbrch.setEditable(false);
          cbbldgrp.setEditable(false);
          con.close();
          stmt.close();
        }
//            catch(SQLException eM)
//            {
//            JOptionPane.showMessageDialog(null,"RECORD IS NOT FOUND ");
//            }
        catch(Exception et)
        {
             et.printStackTrace();
          //  System.out.println("error:"+et.getMessage());
        }

推荐答案

参见

准备好的陈述可以帮助通过将SQL逻辑与提供的数据分开来提高安全性。逻辑和数据的这种分离有助于防止称为SQL注入攻击的非常常见的漏洞类型。通常，在处理即席查询时，在处理从用户收到的数据时需要非常小心。这需要使用能够逃避所有必要的故障字符的函数，例如单引号，双引号和反斜杠字符。在处理预准备语句时，这是不必要的。数据的分离允许MySQL自动考虑这些字符，并且不需要使用任何特殊功能进行转义。

Prepared statements can help increase security by separating SQL logic from the data being supplied. This separation of logic and data can help prevent a very common type of vulnerability called an SQL injection attack. Normally when you are dealing with an ad hoc query, you need to be very careful when handling the data that you received from the user. This entails using functions that escape all of the necessary trouble characters, such as the single quote, double quote, and backslash characters. This is unnecessary when dealing with prepared statements. The separation of the data allows MySQL to automatically take into account these characters and they do not need to be escaped using any special function.