SQL注入（PreparedStatement）

public class Demo2 {    //private String name = "ericdfdfdfddfd' OR 1=1 -- ";    private String name= "ericdfdfdfddfd' OR 1=1 -- ";    private String password="123456";    @Test    public void test1(){        Connection conn=null;        Statement stmt=null;        ResultSet rs=null;        try {            conn=JdbcUtil.getConnection();            String sql="select * from users where name='"+name+"' and password='"+password+"'";            stmt = conn.createStatement();            rs=stmt.executeQuery(sql);            if(rs.next()){                System.out.println("登录成功！");            }else{                System.out.println("登录失败！");            }        } catch (Exception e) {            e.printStackTrace();            throw new RuntimeException();        }finally{            JdbcUtil.close(stmt, conn,rs);        }    }    @Test    public void test2(){        Connection conn=null;        PreparedStatement stmt=null;        ResultSet rs=null;        try {            conn=JdbcUtil.getConnection();            String sql="select * from users where name=? and password=?";            stmt=conn.prepareStatement(sql);            stmt.setString(1, name);            stmt.setString(2, password);            rs = stmt.executeQuery();            if(rs.next()){                System.out.println("登录成功！");            }else{                System.out.println("登录失败！");            }        } catch (Exception e) {            e.printStackTrace();            throw new RuntimeException();        }finally{            JdbcUtil.close(stmt, conn,rs);        }    }}