### JDBC DriverManager—》Connection—〉Statement—》ResultSet 1、加载数据库驱动,Java Application 和数据库之间的桥梁。 2、获取 Connection,一次连接。 3、Statement,由 Connection 产生,执行 SQL 语句。 4、如果是查询操作,ResultSet 保存 Statement 执行后所产生的结果,如果是增、删、改操作,直接返回 int 数据。 ### PreparedStatement Statment 的子接口,提供了一个 SQL 占位符功能。 ```sql select * from user where id = 1; select * from user where id = ?; ``` 为了解决动态拼接 SQL 语句所带来的问题,手动拼接的弊端? - 麻烦,容易出错 - SQL 注入的风险 利用某些系统没有对用户输入的数据进行充分校验,在用户输入的数据中注入非法的 SQL 语句,从而利用系统的 SQL 引擎完成恶意操作的行为。 使用 PreparedStatement 提供的 SQL 占位符功能一方面可以简化 SQL 代码的编写,提高效率,减少出错的概率,同时还可以有效防止 SQL 注入。 PreparedStatement 防止 SQL 注入的基本原理: SQL 语句在程序运行前已经进行了预编译,在操作数据库之前,SQL 语句已经被数据库引擎编译,优化,当动态参数传给 PreparedStatement,数据库会自动检测参数值,如果包含" or 1=1",则会把这个值整体当作字段的值来进行判断,而不会进行逻辑运算。 将图片存入数据库 原理:将图片转为二进制流,然后将二进制流保存到数据库中,要求存储图片的字段数据类型为二进制类型。 MySQL 有四种二进制数据类型(除了存储最大信息量不同之外,没有区别) blob 最大 65 KB tynyblob 最大 255 KB 255*1024 byte mediumblob 最大 16 MB longblob 最大 4 GB 1、在数据表中添加一个字段 mediumblob 类型。 2、在 Java 程序中通过 JDBC 向数据库插入图片数据。 - 将图片转为二进制流。 - 通过调用 setBlob() 方法完成数据的传入。 将图片保存到数据库中。 ```java package com.southwind.test; import com.southwind.utils.JDBCTools; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.SQLException; public class BlobTest { public static void main(String[] args) { Connection connection = JDBCTools.getConnection(); PreparedStatement preparedStatement = null; try { InputStream inputStream = new FileInputStream("1.png"); System.out.println(inputStream.available()); String sql = "insert into t_user(username,password,age,file) values(?,?,?,?)"; preparedStatement = connection.prepareStatement(sql); preparedStatement.setString(1,"图片"); preparedStatement.setString(2,"000"); preparedStatement.setInt(3,18); preparedStatement.setBlob(4,inputStream); preparedStatement.executeUpdate(); } catch (FileNotFoundException e) { e.printStackTrace(); } catch (IOException e){ e.printStackTrace(); } catch (SQLException e){ e.printStackTrace(); }finally { JDBCTools.release(connection,preparedStatement,null); } } } ``` 从数据库中读取图片。 ```java package com.southwind.test; import com.southwind.utils.JDBCTools; import java.io.*; import java.sql.*; public class ReadImg { public static void main(String[] args) { Connection connection = JDBCTools.getConnection(); PreparedStatement preparedStatement = null; ResultSet resultSet = null; InputStream inputStream = null; OutputStream outputStream = null; try { String sql = "select * from t_user where id = ?"; preparedStatement = connection.prepareStatement(sql); preparedStatement.setInt(1,30); resultSet = preparedStatement.executeQuery(); if(resultSet.next()){ int id = resultSet.getInt(1); String username = resultSet.getString(2); String password = resultSet.getString(3); int age = resultSet.getInt(4); Blob file = resultSet.getBlob(5); System.out.println(id); System.out.println(username); System.out.println(password); System.out.println(age); System.out.println(file); inputStream = file.getBinaryStream(); outputStream = new FileOutputStream("3.jpg"); int temp = 0; while((temp = inputStream.read())!=-1){ outputStream.write(temp); } } } catch (SQLException e) { e.printStackTrace(); } catch (FileNotFoundException e){ e.printStackTrace(); } catch (IOException e){ e.printStackTrace(); } finally { JDBCTools.release(connection,preparedStatement,resultSet); try { inputStream.close(); outputStream.close(); } catch (IOException e) { e.printStackTrace(); } } } } ```
ReadImg.java
package com.southwind.test; import com.southwind.utils.JDBCTools; import java.io.*; import java.sql.*; public class ReadImg { public static void main(String[] args) { Connection connection = JDBCTools.getConnection(); PreparedStatement preparedStatement = null; ResultSet resultSet = null; InputStream inputStream = null; OutputStream outputStream = null; try { String sql = "select * from t_user where id = ?"; preparedStatement = connection.prepareStatement(sql); preparedStatement.setInt(1,30); resultSet = preparedStatement.executeQuery(); if(resultSet.next()){ int id = resultSet.getInt(1); String username = resultSet.getString(2); String password = resultSet.getString(3); int age = resultSet.getInt(4); Blob file = resultSet.getBlob(5); System.out.println(id); System.out.println(username); System.out.println(password); System.out.println(age); System.out.println(file); inputStream = file.getBinaryStream(); outputStream = new FileOutputStream("2.png"); int temp = 0; while((temp = inputStream.read())!=-1){ outputStream.write(temp); } } } catch (SQLException e) { e.printStackTrace(); } catch (FileNotFoundException e){ e.printStackTrace(); } catch (IOException e){ e.printStackTrace(); } finally { JDBCTools.release(connection,preparedStatement,resultSet); try { inputStream.close(); outputStream.close(); } catch (IOException e) { e.printStackTrace(); } } } }
Test.java
package com.southwind.test; import com.southwind.utils.JDBCTools; import java.sql.*; public class Test { public static void main(String[] args) { System.out.println(login("dsaf' or '1'='1","asdf' or '1'='1")); System.out.println(login2("zhangsan","123")); } public static boolean login(String username,String password){ Connection connection = null; Statement statement = null; ResultSet resultSet = null; boolean flag = false; try { connection = JDBCTools.getConnection(); String sql = "select * from t_user where username = '"+username+"' and password = '"+password+"'"; statement = connection.createStatement(); resultSet = statement.executeQuery(sql); if(resultSet.next()){ flag = true; } } catch (SQLException e) { e.printStackTrace(); } finally { JDBCTools.release(connection,statement,resultSet); } return flag; } public static boolean login2(String username,String password){ Connection connection = null; PreparedStatement preparedStatement = null; ResultSet resultSet = null; boolean flag = false; try { connection = JDBCTools.getConnection(); String sql = "select * from t_user where username = ? and password = ?"; System.out.println(sql); preparedStatement = connection.prepareStatement(sql); preparedStatement.setString(1,username); preparedStatement.setString(2,password); resultSet = preparedStatement.executeQuery(); if(resultSet.next()){ flag = true; } } catch (SQLException e) { e.printStackTrace(); } finally { JDBCTools.release(connection,preparedStatement,resultSet); } return flag; } }
WriteImg.java
package com.southwind.test; import com.southwind.utils.JDBCTools; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; import java.sql.Connection; import java.sql.PreparedStatement; import java.sql.SQLException; public class WriteImg { public static void main(String[] args) { Connection connection = JDBCTools.getConnection(); PreparedStatement preparedStatement = null; try { InputStream inputStream = new FileInputStream("1.png"); System.out.println(inputStream.available()); String sql = "insert into t_user(username,password,age,file) values(?,?,?,?)"; preparedStatement = connection.prepareStatement(sql); preparedStatement.setString(1,"图片"); preparedStatement.setString(2,"000"); preparedStatement.setInt(3,18); preparedStatement.setBlob(4,inputStream); preparedStatement.executeUpdate(); } catch (FileNotFoundException e) { e.printStackTrace(); } catch (IOException e){ e.printStackTrace(); } catch (SQLException e){ e.printStackTrace(); }finally { JDBCTools.release(connection,preparedStatement,null); } } }
JDBCTools.java
package com.southwind.utils; import java.sql.*; public class JDBCTools { private static String url = "jdbc:mysql://localhost:3306/mbtest?useUnicode=true&characterEncoding=UTF-8"; private static String user = "root"; private static String password = "root"; private static String driverName = "com.mysql.cj.jdbc.Driver"; static{ try { Class.forName(driverName); } catch (ClassNotFoundException e) { e.printStackTrace(); } } public static Connection getConnection(){ Connection connection = null; try { connection = DriverManager.getConnection(url,user,password); } catch (SQLException e) { e.printStackTrace(); } return connection; } public static void release(Connection connection, Statement statement, ResultSet resultSet){ try { if(connection!=null){ connection.close(); } if(statement!=null){ statement.close(); } if(resultSet!=null){ resultSet.close(); } } catch (SQLException e) { e.printStackTrace(); } } }