statement比较容易被sql注入,因为他是直接把用户传进来的数据加入数据库 preparestatement 由于只是预留了空位,提高了防范注入的可能性。 不安全版 Statement s = connection.createStatement();ResultSet rs = s.executeQuery("SELECT email FROM member WHERE
in 参数 String sql = "select * from user where user.age in (?, ?, ?, ?) and name like ?; ... ... stmt.setInt(1, 11); stmt.setInt(2, 12); stmt.setInt(3, 13); stmt.setInt(4, 14); like 参数 stmt.setSt