sql-为什么占位符可以防止sql注入

为什么占位可以防止sql注入，不从什么预编译的角度来将，直接上源码，下面是mysql jar包中的setString方法。

以select * from user where id = ？语句为例，

传入1 or 1=1 ，如果是最后sql为select * from user where id = 1 or 1=1，那么显然会查出所有的数据，但实际没有，为什么？因为传入的参数经过下面的处理，会在前后加上‘，也就是说处理后上面参数变为了'1 or 1 = 1'

select * from user where id = '1 or 1 = 1'

public void setString(int parameterIndex, String x) throws SQLException { // if the passed string is null, then set this column to null if (x == null) { setNull(parameterIndex, Types.CHAR); } else { StringBuffer buf = new StringBuffer((int) (x.length() * 1.1)); buf.append('\''); int stringLength = x.length(); // // Note: buf.append(char) is _faster_ than // appending in blocks, because the block // append requires a System.arraycopy().... // go figure... // for (int i = 0; i < stringLength; ++i) { char c = x.charAt(i); switch (c) { case 0: /* Must be escaped for 'mysql' */ buf.append('\\'); buf.append('0'); break; case '\n': /* Must be escaped for logs */ buf.append('\\'); buf.append('n'); break; case '\r': buf.append('\\'); buf.append('r'); break; case '\\': buf.append('\\'); buf.append('\\'); break; case '\'': buf.append('\\'); buf.append('\''); break; case '"': /* Better safe than sorry */ if (this.usingAnsiMode) { buf.append('\\'); } buf.append('"'); break; case '\032': /* This gives problems on Win32 */ buf.append('\\'); buf.append('Z'); break; default: buf.append(c); } } buf.append('\''); String parameterAsString = buf.toString(); byte[] parameterAsBytes = null; if (!this.isLoadDataQuery) { parameterAsBytes = StringUtils.getBytes(parameterAsString, this.charConverter, this.charEncoding, this.connection .getServerCharacterEncoding(), this.connection .parserKnowsUnicode()); } else { // Send with platform character encoding parameterAsBytes = parameterAsString.getBytes(); } setInternal(parameterIndex, parameterAsBytes); } }