How to use prepared statement

问题

Someone has suggested to use prepared statement but I don't know how to use it. What changes do I have to do in my code?

try
{
    Class.forName("sun.jdbc.odbc.JdbcOdbcDriver");
    System.out.println("\n Driver loaded");

    Connection con = DriverManager.getConnection("jdbc:odbc:wanisamajDB");

    Statement stmt = con.createStatement();
    System.out.println("statement is created");

    // System.out.println(Integer.parseInt(cbregn.getSelectedItem().toString()));

    String qry = " UPDATE Registration1 SET RegistrationNo = '"+cbregn.getSelectedItem()+"',SeniorPerson = '"+cbnm.getSelectedItem()+"', NativePlace = '"+tfplace.getText()+"',Kul = '"+tfkul.getText()+"', Gotra = '"+tfgotra.getText()+"' ,KulSwami = '"+tfswami.getText()+"', ResidensialAddress = '"+taraddr.getText()+"' , PinCode = '"+tfpcd.getText()+"', STDcode = '"+tfstdcode.getText()+"',TelephoneNo = '"+tftele.getText()+"', MobileNo = '"+tfmno.getText()+"', Email = '"+tfemail.getText()+"',Website ='"+tfweb.getText()+"',Education ='"+tfedu.getText()+"',Branch ='"+tfbrch.getText()+"',BloodGroup ='"+cbbldgrp.getSelectedItem()+"' where SeniorPerson='" +cbnm.getSelectedItem().toString()+"'" ;

          stmt.executeUpdate(qry);

          JOptionPane.showMessageDialog(null,"RECORD IS UPDATED SUCCESSFULLY ");
          System.out.println("QUERY");       

          // cbregn.setEditable(false);
          cbnm.setEditable(false);
          tfplace.setEditable(false);
          tfkul.setEditable(false);
          tfgotra.setEditable(false);
          tfswami.setEditable(false);
          taraddr.setEditable(false);
          tfpcd.setEditable(false);
          tfstdcode.setEditable(false);
          tftele.setEditable(false);
          tfmno.setEditable(false);
          tfemail.setEditable(false);
          tfweb.setEditable(false);
          tfedu.setEditable(false);
          tfbrch.setEditable(false);
          cbbldgrp.setEditable(false);
          con.close();
          stmt.close();
        }
//            catch(SQLException eM)
//            {
//            JOptionPane.showMessageDialog(null,"RECORD IS NOT FOUND ");
//            }
        catch(Exception et)
        {
             et.printStackTrace();
          //  System.out.println("error:"+et.getMessage());
        }  

回答1:

see example

Prepared statements can help increase security by separating SQL logic from the data being supplied. This separation of logic and data can help prevent a very common type of vulnerability called an SQL injection attack. Normally when you are dealing with an ad hoc query, you need to be very careful when handling the data that you received from the user. This entails using functions that escape all of the necessary trouble characters, such as the single quote, double quote, and backslash characters. This is unnecessary when dealing with prepared statements. The separation of the data allows MySQL to automatically take into account these characters and they do not need to be escaped using any special function.

回答2:

In your code instead of this:

String qry= " UPDATE Registration1 set RegistrationNo = '"+cbregn.getSelectedItem()+"',SeniorPerson = '"+cbnm.getSelectedItem()+"', NativePlace = '"+tfplace.getText()+"',Kul = '"+tfkul.getText()+"', Gotra = '"+tfgotra.getText()+"' ,KulSwami = '"+tfswami.getText()+"', ResidensialAddress = '"+taraddr.getText()+"' , PinCode = '"+tfpcd.getText()+"', STDcode = '"+tfstdcode.getText()+"',TelephoneNo = '"+tftele.getText()+"', MobileNo = '"+tfmno.getText()+"', Email = '"+tfemail.getText()+"',Website ='"+tfweb.getText()+"',Education ='"+tfedu.getText()+"',Branch ='"+tfbrch.getText()+"',BloodGroup ='"+cbbldgrp.getSelectedItem()+"' where SeniorPerson='" +cbnm.getSelectedItem().toString()+"'" ;
stmt.executeUpdate(qry);

try this:

String qry= " UPDATE Registration1 set RegistrationNo = ?,SeniorPerson = ?, NativePlace = ?,Kul = ?, Gotra = ?,KulSwami = ?, ResidensialAddress = ?, PinCode = ?, STDcode = ?,TelephoneNo = ?, MobileNo = ?, Email = ?,Website =?,Education =?,Branch =?,BloodGroup =? where SeniorPerson=?" ;

PreparedStatement updateQry = con.prepareStatement(qry);
updateQry.setString(1,cbregn.getSelectedItem());
updateQry.setString(2,cbnm.getSelectedItem());
updateQry.setString(3,tfplace.getText());
updateQry.setString(4,tfkul.getText());
updateQry.setString(5,tfgotra.getText());
updateQry.setString(6,tfswami.getText());
updateQry.setString(7,taraddr.getText());
updateQry.setString(8,tfpcd.getText());
updateQry.setString(9,tfstdcode.getText());
updateQry.setString(10,tftele.getText());
updateQry.setString(11,tfmno.getText());
updateQry.setString(12,tfemail.getText());
updateQry.setString(13,tfweb.getText());
updateQry.setString(14,tfedu.getText());
updateQry.setString(15,tfbrch.getText());
updateQry.setString(16,cbbldgrp.getSelectedItem());
updateQry.setString(17,cbnm.getSelectedItem().toString());
updateQry.executeUpdate():

回答3:

    public class UpdatesRecords{
     public static void main(String[] args) {
    System.out.println("Updates Records Example through Prepared Statement!");
    Connection con = null;
    try{
      Class.forName("com.mysql.jdbc.Driver");
      con = DriverManager.getConnection(
     "jdbc:mysql://localhost:3306/jdbctutorial","root","root");
      try{
        String sql = "UPDATE movies SET title = ? WHERE year_made = ?";
        PreparedStatement prest = con.prepareStatement(sql);
        prest.setString(1,"Sanam We wafafa");
        prest.setInt(2,2005);
        prest.executeUpdate();
        System.out.println("Updating Successfully!");
        con.close();
      }
      catch (SQLException s){
        System.out.println("SQL statement is not executed!");
      }
    }
     catch (Exception e){
      e.printStackTrace();
    }
   }
}

please use above code as reference and change your code

来源：https://stackoverflow.com/questions/5591271/how-to-use-prepared-statement