java sql 注入 与防范

package com.jdbc;

import java.sql.*;
import java.util.Scanner;

public class loginDemo {
    public static void main(String[] args)throws ClassNotFoundException, SQLException {
        //1.注册驱动
        Class.forName("com.mysql.jdbc.Driver");
        //2.连接
        String url = "jdbc:mysql://localhost:3306/zfj";
        String username = "root";
        String password = "root";
        Connection con = DriverManager.getConnection(url,username,password);
        //3.语句执行对象 (执行sql) 返回值 Statement
        //Statement stat = con.createStatement();

        Scanner sc = new Scanner(System.in);
        String user = sc.nextLine();
        String pas = sc.nextLine();


        //4.执行sql 查询 select
        String sql = "SELECT * FROM user where user_name= ? AND user_sex=?";
        //防止注入
        PreparedStatement pst = con.prepareStatement(sql);
        pst.setObject(1,user);
        pst.setObject(2,pas);
        System.out.println(sql);
        ResultSet rs = pst.executeQuery();
        //处理结果集
        while (rs.next()){
            //获取每列的的数据
            System.out.println(rs.getString("id")+"  "+rs.getString("user_name")+"  "+rs.getString("user_age")+"  "+rs.getString("user_sex"));
        }

        //5.释放资源
        rs.close();
        pst.close();
        con.close();
    }
}