[JAVA] SQL Query๋ฌธ : Prepared Statement
๊ฒฐ๋ก
query๋ฌธ์ ๋ฃ์ ๋๋
String query = "select * from user2 where name like '" + userName + "'";์ด๋ ๊ฒ ๋ฃ์ง ๋ง๊ณ
String query = "select * from user2 where name like ?";์ด๋ ๊ฒ ๋ฃ์
โ์โ → ๋ณด์์ด ์ทจ์ฝํด์ง๊ธฐ ๋๋ฌธ์ด๋ค.
Prepared Statement
public User getUser(String userName, String userPassword) {
Connection connection = getConnection();
String query = "select * from user2 where name like '" + userName + "'";
User user = new User();
PreparedStatement pstmt = null;
ResultSet rs = null;
try {
pstmt = connection.prepareStatement(query);
rs = pstmt.executeQuery();
if (rs.next()) {
String password = rs.getString(4);
if (userPassword.equals(password)) {
System.out.println("๋น๋ฐ๋ฒํธ ์ผ์น " + password);
user.setId(rs.getInt(1));
user.setName(rs.getString(2));
user.setFullName(rs.getString(3));
user.setPassword(rs.getString(4));
user.setEmail(rs.getString(5));
user.setAge(rs.getInt(6));
user.setCreateDate(rs.getTimestamp(7));
}
} else {
user = null;
}
} catch (SQLException e) {
e.printStackTrace();
}
return user;
}์๊ฐ ๋์ ์ ์ฒด์ ์ธ ์ฝ๋์ด๋ค.
๋ฌธ์ ๊ฐ ๋๋ ๋ฐ ์ฝ๋๋ฅผ ๋ณด์.
String query = "select * from user2 where name like '" + userName + "'";userName์ผ๋ก ์กฐํํ๋ ์ฟผ๋ฆฌ๋ฌธ์ด๋ค.
userName์ "๋ '์ด ๋ค์ด๊ฐ๋ค๋ฉด ์ค๋ฅ๊ฐ ๋ ์๋ ์๊ณ , ํดํน ๋นํ ์๋ ์๋ค.
(์ฝ๋ ๋ฆฌ๋ทฐ๋ฅผ ํด์ฃผ์ จ๋๋ฐ, ์ด ๋ถ๋ถ์์ ๋ณด์ ์ทจ์ฝ์ฑ์ด ์๋ค๋ฉด์ ์๋ ค์ฃผ์ จ๋ค.)
โ ์ด๋ป๊ฒ ํดํน์ ํ๋๊ฑธ๊นโ
๊ณต๊ฒฉ์๊ฐ ์ฌ์ฉ์ ์ ๋ ฅ ๋ฐ์ดํฐ๋ฅผ ์กฐ์ํ์ฌ ์ํ์ง ์๋ ์ฟผ๋ฆฌ๋ฅผ ์คํํ๊ฑฐ๋ ๋ฐ์ดํฐ๋ฒ ์ด์ค์ ์ ์์ ์ธ ๋ช ๋ น์ ์ฝ์ ํ ์ ์๋ค.
์๋ฅผ ๋ค์ด, userName ๋ณ์์ '' OR '1'='1' ์ ๊ฐ์ ๊ฐ์ ์ ๋ ฅํ๋ฉด SQL ์ธ์ ์ ๊ณต๊ฒฉ์ ์ํํ ์ ์๋ค.
' OR '1'='1'๋ ํ๋์ ์ฐธ ์กฐ๊ฑด์ ๋ํ๋ด๊ธฐ ๋๋ฌธ์, ๋ชจ๋ ๋ ์ฝ๋๊ฐ ๋ฐํ๋ ์ ์๋ค.
๊ทธ๋์ ๊ณต๊ฒฉ์๋ ์ด ๋ฐฉ์์ ์ฌ์ฉํด์ ๋ฐ์ดํฐ๋ฒ ์ด์ค๋ฅผ ์กฐ์ํ๊ฑฐ๋ ๋ฏผ๊ฐํ ์ ๋ณด์ ์ก์ธ์คํ๋ ค๊ณ ์๋ํ ์ ์๊ธฐ ๋๋ฌธ์ด๋ค.
๊ทธ๋์ SQL ์ธ์ ์ ๊ณต๊ฒฉ์ ๋ฐฉ์งํ๋ ค๋ฉด ์ฌ์ฉ์ ์ ๋ ฅ ๋ฐ์ดํฐ๋ฅผ ์์ ํ๊ฒ ์ฒ๋ฆฌํ๊ณ , SQL ์ฟผ๋ฆฌ๋ฅผ ๊ตฌ์ฑํ ๋๋ Prepared Statements ๋๋ ORM๊ณผ ๊ฐ์ ์์ ํ ๋ฐฉ๋ฒ์ ์ฌ์ฉํด์ผ ํ๋ค.
๊ทธ๋์ SQL ์ฟผ๋ฆฌ๋ฅผ ๋ฏธ๋ฆฌ ์ปดํ์ผํ๊ณ , ์คํ์์ ๋งค๊ฐ๋ณ์ ๊ฐ์ ๋ฐ์ธ๋ฉํ๋ค.
์ฌ์ฉ์ ์ ๋ ฅ์ ์๋์ผ๋ก ์ด์ค์ผ์ดํํ๊ณ SQL ์ฝ์ ์ ๋ฐฉ์งํ๋ค.
๊ทธ๋์ ๋ฐ์ฒ๋ผ ๋ฐ๊ฟจ๋ค.
public User getUser(String userName, String userPassword) {
Connection connection = getConnection();
String query = "select * from user2 where name like ?";
User user = new User();
PreparedStatement pstmt = null;
ResultSet rs = null;
try {
pstmt = connection.prepareStatement(query);
pstmt.setString(1, userName);
rs = pstmt.executeQuery();
if (rs.next()) {
String password = rs.getString(4);
if (userPassword.equals(password)) {
System.out.println("๋น๋ฐ๋ฒํธ ์ผ์น " + password);
user.setId(rs.getInt(1));
user.setName(rs.getString(2));
user.setFullName(rs.getString(3));
user.setPassword(rs.getString(4));
user.setEmail(rs.getString(5));
user.setAge(rs.getInt(6));
user.setCreateDate(rs.getTimestamp(7));
}
} else {
user = null;
}
} catch (SQLException e) {
e.printStackTrace();
}
return user;
}
String query = "select * from user2 where name like ?";
// ๋ฐ๊พผ ๋ถ๋ถ
pstmt.setString(1, userName);
// ์ถ๊ฐํ ๋ถ๋ถ์ด๋ ๊ฒ ๋ฐ๊พธ๋ฉด์ ๋ณด์์ฑ์ ๋ณด์กดํ ์ ์์๋ค.
์์ฉ
%์ ๋ชฉ%์ผ๋ก ๊ฒ์ํ๊ธฐ.
%๊ฐ ๋ค์ด๊ฐ ์ ๋ชฉ์ผ๋ก ๊ฒ์์ ํ๊ณ ์ถ์ ์๋ ์๋ค. ์ด๋ด ๋๋ %๋ฅผ \\%๋ก ๋ฐ๊ฟ์ ๊ฒ์ํ ์ ์๋ค.
์ฟผ๋ฆฌ๋ฌธ : String subject๋ฅผ ์ธ์๋ก ๋ฐ๋๋ค.
if (subject == null) {
query = "SELECT a.id, a.subject, a.content, a.createDate, b.id AS creatorId, b.name AS creatorName, b.fullName AS creatorFullName "
+ " FROM boardpost a, user2 b " + " WHERE a.creatorId = b.id ";
} else {
query = "SELECT a.id, a.subject, a.content, a.createDate, b.id AS creatorId, b.name AS creatorName, b.fullName AS creatorFullName "
+ " FROM boardpost a, user2 b " + " WHERE a.subject like ? and a.creatorId = b.id ";
escapedSubject = (subject.contains("%")? subject.replace("%", "\\%"): subject);
}๋ง์ฝ ์ฌ์ฉ์๊ฐ ์ ๋ ฅํ ๋ฌธ์์ด์ %๊ฐ ๋ค์ด์๋ค๋ฉด //%๋ก ๋์ฒดํด์ฃผ๊ธฐ
pstmt.setString(1, "%" + escapedSubject + "%");๊ทธ๋ฆฌ๊ณ ์๋ค๋ก %๋ฅผ ๋ฃ์ด์ค์ ํฌํจ ๊ฒ์์ด ๊ฐ๋ฅํ๊ฒ ๋ง๋ค์ด์ฃผ๊ธฐ
์ด๋ ๊ฒ ํด์ ๋ณด์์ ์ทจ์ฝ์ฑ์ด ์ฌ๋ผ์ก๋ค.
์ ์ฒด ๋ฉ์๋
public List<BoardPost> getAllBoardPosts(String subject) {
List<BoardPost> boardPosts = new ArrayList<BoardPost>();
String query = "";
String escapedSubject = "";
// subject์ ๊ฐ์ด ์๋ค๋ฉด ๊ฒฐ๊ณผ๊ฐ ๋ณด์ฌ์ฃผ๊ธฐ / ์๋๋ผ๋ฉด ์ ์ฒด ๋ชฉ๋ก ๋ณด์ฌ์ฃผ๊ธฐ
if (subject == null) {
query = "SELECT a.id, a.subject, a.content, a.createDate, b.id AS creatorId, b.name AS creatorName, b.fullName AS creatorFullName "
+ " FROM boardpost a, user2 b " + " WHERE a.creatorId = b.id ";
} else {
query = "SELECT a.id, a.subject, a.content, a.createDate, b.id AS creatorId, b.name AS creatorName, b.fullName AS creatorFullName "
+ " FROM boardpost a, user2 b " + " WHERE a.subject like ? and a.creatorId = b.id ";
escapedSubject = (subject.contains("%")? subject.replace("%", "\\%"): subject);
}
Connection connection = null;
PreparedStatement pstmt = null;
ResultSet resultSet = null;
try {
connection = getConnection();
pstmt = connection.prepareStatement(query);
if(subject != null) {
pstmt.setString(1, "%" + escapedSubject + "%");
}
resultSet = pstmt.executeQuery();
while (resultSet.next()) {
User creator = new User();
long id = resultSet.getLong(1);
String postSubject = resultSet.getString(2);
String content = resultSet.getString(3);
Timestamp dateString = resultSet.getTimestamp(4);
creator.setId(resultSet.getLong(5));
creator.setName(resultSet.getString(6));
creator.setFullName(resultSet.getString(7));
boardPosts.add(new BoardPost(id, postSubject, content, creator, dateString));
}
} catch (SQLException e) {
e.printStackTrace();
} finally {
try {
if (connection != null)
connection.close();
} catch (SQLException e) {
e.printStackTrace();
}
try {
if (pstmt != null)
pstmt.close();
} catch (SQLException e) {
e.printStackTrace();
}
try {
if (resultSet != null)
resultSet.close();
} catch (SQLException e) {
e.printStackTrace();
}
}
return boardPosts;
}