sql语句不应该直接带参数是为了防止sql注入攻击

<pre name="code" class="java">String sql = "select * from market_orders where createdate>='"+startTime+"' and createdate<'"+endTime+"'";

上面的sql语句是不安全的，容易导致sql注入攻击我也不知道什么是sql注入攻击

应该这样写更安全，养成习惯

String sql = "select * from market_orders where createdate>='？' and createdate<'？'";

然后setParameter()将参数传进去

具体的如下，int和string必须区分好

String sql = "insert into mealtbl (createTime,userID,mealTypeID,detail,num)values(?,?,?,?,?)";try {PreparedStatement pstmt = conn.prepareStatement(sql);pstmt.setString(1, m.getCreateTime());pstmt.setInt(2, m.getUserID());pstmt.setInt(3, m.getMealTypeID());pstmt.setString(4,m.getDetail());pstmt.setInt(5, m.getNum());pstmt.executeUpdate();} catch (SQLException e) {// TODO Auto-generated catch blocke.printStackTrace();}finally{util.close(conn);}