Difference between Statement and PreparedStatement

by

Advantages of a PreparedStatement:

  • Precompilation and DB-side caching of the SQL statement leads to overall faster execution and the ability to reuse the same SQL statement in batches.

  • Automatic prevention of SQL injection attacks by builtin escaping of quotes and other special characters. Note that this requires that you use any of the PreparedStatement setXxx() methods to set the values 

    preparedStatement = connection.prepareStatement("INSERT INTO Person (name, email, birthdate, photo) VALUES (?, ?, ?, ?)");
preparedStatement.setString(1, person.getName());
preparedStatement.setString(2, person.getEmail());
preparedStatement.setTimestamp(3, new Timestamp(person.getBirthdate().getTime()));
preparedStatement.setBinaryStream(4, person.getPhoto());
preparedStatement.executeUpdate();

    and thus don’t inline the values in the SQL string by string-concatenating.

    preparedStatement = connection.prepareStatement("INSERT INTO Person (name, email) VALUES ('" + person.getName() + "', '" + person.getEmail() + "'");
preparedStatement.executeUpdate();

  • Eases setting of non-standard Java objects in a SQL string, e.g. Date, Time, Timestamp, BigDecimal, InputStream (Blob) and Reader (Clob). On most of those types you can’t “just” do a toString() as you would do in a simple Statement. You could even refactor it all to using PreparedStatement#setObject() inside a loop as demonstrated in the utility method below:

    public static void setValues(PreparedStatement preparedStatement, Object... values) throws SQLException {
    for (int i = 0; i < values.length; i++) {
        preparedStatement.setObject(i + 1, values[i]);
    }
}

    Which can be used as below:

    preparedStatement = connection.prepareStatement("INSERT INTO Person (name, email, birthdate, photo) VALUES (?, ?, ?, ?)");
setValues(preparedStatement, person.getName(), person.getEmail(), new Timestamp(person.getBirthdate().getTime()), person.getPhoto());
preparedStatement.executeUpdate();

More Related Contents:

  1. having an exception when saving oracle type object in some entity
  2. PreparedStatement IN clause alternatives?
  3. Is it safe to use a static java.sql.Connection instance in a multithreaded system?
  4. Insert & fetch java.time.LocalDate objects to/from an SQL database such as H2
  5. MySQL JDBC Driver 5.1.33 – Time Zone Issue
  6. SQLException: No suitable driver found for jdbc:derby://localhost:1527
  7. AbstractTableModel GUI display issue
  8. Using “like” wildcard in prepared statement
  9. Android JDBC not working: ClassNotFoundException on driver
  10. Variable column names using prepared statements
  11. Where’s my invalid character (ORA-00911)
  12. Error: Client does not support authentication protocol requested by server; consider upgrading MySQL client
  13. How does Java’s PreparedStatement work?
  14. Java JDBC MySQL exception: “Operation not allowed after ResultSet closed”
  15. PLSQL JDBC: How to get last row ID?
  16. Is asynchronous jdbc call possible?
  17. java.sql.SQLException: No suitable driver found for jdbc:mysql://localhost:3306/dbname [duplicate]
  18. JPA or JDBC, how are they different?
  19. How to write / update Oracle blob in a reliable way?
  20. Execute anonymous pl/sql block and get resultset in java
  21. Setting Network Timeout for JDBC connection
  22. how to get list of Databases “Schema” names of MySql using java JDBC
  23. java error (No suitable driver found)
  24. NamedParameterJdbcTemplate vs JdbcTemplate
  25. Access denied for user ‘root’@’localhost’
  26. How to use prepared statement for select query in Java?
  27. java sql date time
  28. Oracle JDBC : invalid username/password (ora-01017)
  29. Performance of MySQL Insert statements in Java: Batch mode prepared statements vs single insert with multiple values
  30. Iterating a ResultSet using the JDBC for Oracle takes a lot of time about 16s?

Leave a Comment