JDBC的PreparedStatement语句使用记录

时间 2019-12-14

标签 jdbc preparedstatement 语句使用记录栏目 Java 繁體版

原文原文链接

<<JDBC为何要使用PreparedStatement而不是Statement>> 列举了为何PreparedStatement要优于Statement，其中最主要的两点是更快的性能和防止SQL注入攻击。在文章的末尾提到了一个局限性：PreparedStatement不容许一个占位符（？）有多个值，并提出了如何在**IN**子句使用PreparedStatement的棘手问题。html

《JDBC PreparedStatement IN clause alternative approaches》给出了四种方案：java

1. Execute Single Queriessql

2. Using Stored Procedureapp

3. Creating PreparedStatement Query dynamically性能

4. Using NULL in PreparedStatement Queryui

第三和第四方案看起来更合适些，第四种方案能够看做是第三种方案的扩展。spa

第三种使用下面代码构建SQL语句code

private static String createQuery(int length) {
        String query = "select empid, name from Employee where empid in (";
        StringBuilder queryBuilder = new StringBuilder(query);
        for( int i = 0; i< length; i++){
            queryBuilder.append(" ?");
            if(i != length -1) queryBuilder.append(",");
        }
        queryBuilder.append(")");
        return queryBuilder.toString();
    }

这种方式虽然可行，可是若是输入的参数个数发生变化，就不会get the PreparedStatement benefit of caching and reusing the execution plan。htm

因此就有了第四种方案：blog

public class JDBCPreparedStatementNULL {
 
    private static final String QUERY = "select empid, name from Employee where empid in ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
    private static final int PARAM_SIZE = 10;
    public static void printData(int[] ids){
         
        if(ids.length > PARAM_SIZE){
            System.out.println("Maximum input size supported is "+PARAM_SIZE);
            //in real life, we can write logic to execute in batches, for simplicity I am returning
            return;
        }
        Connection con = DBConnection.getConnection();
        PreparedStatement ps = null;
        ResultSet rs = null;
        try {
            ps = con.prepareStatement(QUERY);
             
            int i = 1;
            for(; i <=ids.length; i++){
                ps.setInt(i, ids[i-1]);
            }
             
            //set null for remaining ones
            for(; i<=PARAM_SIZE;i++){
                ps.setNull(i, java.sql.Types.INTEGER);
            }
             
            rs = ps.executeQuery();
                 
            while(rs.next()){
                System.out.println("Employee ID="+rs.getInt("empid")+", Name="+rs.getString("name"));
            }
                 
            //close the resultset here
            try{
                rs.close();
            } catch(SQLException e){}
             
        } catch (SQLException e) {
            e.printStackTrace();
        }finally{
            try {
                ps.close();
                con.close();
            } catch (SQLException e) {
                e.printStackTrace();
            }
        }
    }
}

在第三种方案的基础上，咱们肯定最大参数个数，除了输入的参数外，剩余参数所有用setNull()置为空。这样又能够重用执行计划和预处理的cache。

More：PreparedStatement and Statement能够批量执行，参考《使用JDBC进行批处理》