java - 对于 PreparedStatement ，executeQuery() 不能带有参数的错误

Answer 1

The usage process of PrepareStatement is as follows:

1. Use placeholder SQL instantiation

2. Call the bindXX method to complete parameter binding

3. Call the executeUpdate or executeQuery method. No parameters are passed here, because the parameters are processed in steps 1 and 2

Answer 2

You have already passed the sql to pst above. Why do you need to pass it to executQuery?

Answer 3

In your psr.executeQuery(sql), you have already passed the parameters to get the result set. There is no need to pass the parameters anymore,

Answer 4

PreparedStatement class is used to prepare sql statements.
For example:
`ResultSet rs = null;
PreparedStatement loginStatement =

           sqlDAO.sqlConnection().prepareStatement("SELECT username,password FROM user_table WHERE username = ? AND password = ?");
        loginStatement.setString(1, username);
        loginStatement.setString(2, password);
        rs = loginStatement.executeQuery();`

? Representing placeholders, we can use methods such as setString(int, String) to set values ​​for placeholders. The int parameter is the placeholder number (note that it does not start from 0, it is the mathematical number). The second parameter indicates that we are going to replace the corresponding placeholder (?) with the value. Doing this will prevent our database from being sql injected. It is worth noting that the sql statement keyword cannot be replaced by a placeholder , because the placeholder will automatically wrap the string we specify in single quotes, causing the sql statement to fail to execute. Check out the mobile phone code