Java-to-sql语句,Insert into vs setString中的变量
[英]Java - to - sql statement, variables in Insert into vs setString
问题描述
What is the difference between these two statements, do they both work the same way, or does the first one work at all? 
这两个语句之间有什么区别,它们都以相同的方式工作,还是第一个完全起作用? Can I use variables after "Insert into"? 我可以在“插入”之后使用变量吗?
stmt = conn.prepareStatement("INSERT INTO treatment(CPR,Treatment,ID,TreatedOn) "+
"VALUES("+Cpr+Id+date.toString());
Where id , cpr are a string , int or other variable, bin my case it is a string , 其中id , cpr是string , int或其他变量,在我的情况下,它是string ,
PreparedStatement insertStatement;
insertStatement = connection.prepareStatement("INSERT INTO sep2.movies(title,length) "
+ "VALUES (?,?,?)");
insertStatement.setString(1, Title);
insertStatement.setInt(2, movie.getLength());
where Title is a string and getLength returns an int . 其中Title是一个字符串,而getLength返回一个int 。
Which one of these should I use ? 我应该使用哪一个?
I understand what setString does but do I have to use it? 我了解setString是什么,但是我必须使用它吗?
Also I am inserting only elementary/non-object data types into Treatment . 另外,我只将基本/非对象数据类型插入到Treatment 。 Does it make a difference? 这有什么不同吗? (I am using postgres if that matters) (如果重要的话,我正在使用postgres )
2 个解决方案
解决方案1
2 已采纳 2018-08-14 14:24:37
And other important aspect of using bind variables, is that it improves the performance of the application. 使用绑定变量的另一个重要方面是,它可以提高应用程序的性能。 When you use bind variables, database server cache and optimize the query and improve the performance (respect to time and processing) of your application. 使用绑定变量时,数据库服务器将缓存并优化查询并提高应用程序的性能(在时间和处理方面)。
For example, When you use 例如,当您使用
insertStatement = connection.prepareStatement("INSERT INTO sep2.movies(title,length) "
+ "VALUES (?,?,?)");
insertStatement.setString(1, Title);
insertStatement.setInt(2, movie.getLength());
The statement is cashed inside database server and only the parameters are bind in the run time inside the database. 该语句在数据库服务器内部兑现,并且在数据库内部的运行时仅绑定参数。 This will improve performance significantly. 这将显着提高性能。
you can read Designing applications for performance and scalability An Oracle White Paper http://www.oracle.com/technetwork/database/performance/designing-applications-for-performa-131870.pdf 您可以阅读设计性能和可伸缩性的应用程序Oracle白皮书 http://www.oracle.com/technetwork/database/performance/designing-applications-for-performa-131870.pdf
解决方案2
1 2018-08-14 12:51:32
It is always a good practice that applications that execute SQL commands should neutralize any externally-provided values used in those commands. 执行SQL命令的应用程序应该抵消那些命令中使用的任何外部提供的值,这始终是一种好习惯。 Failing in doing so could allow an attacker to include input that changes the query so that unintended commands are executed, or sensitive data is exposed ( SQL Injection ). 否则,攻击者可能会包含更改查询的输入,从而执行意外的命令或暴露敏感数据( SQL注入 )。
The first example (string concatenation) is not safe, because it is vulnerable to SQL Injection since malicious data can be concatenated to the query itself (not to mention that it can lead to syntax errors, etc). 第一个示例(字符串连接)并不安全,因为它很容易受到SQL注入的攻击,因为恶意数据可以连接到查询本身(更不用说它可能导致语法错误等)。
The second case (where method such as PreparedStatement#setString are used) correctly uses parameterized queries by utilizing Java's PreparedStatement class, bind variables and the corresponding setString methods. 第二种情况(使用诸如PreparedStatement#setString之类的方法)通过利用Java的PreparedStatement类,绑定变量和相应的setString方法来正确使用参数化查询。 Thus SQL Injection can be easily prevented (avoiding other problems such as the mentioned syntax errors). 这样就可以很容易地防止SQL注入(避免其他问题,例如提到的语法错误)。
Further readings: 进一步阅读:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.