tags:

views:

286

answers:

3
+1  Q: 

JDBC - prepareStatement - How should I use it?

I saw this example somewhere:

 rs = connection.prepareStatement("select * from table").executeQuery();

Could I use this format, if I want to execute a query like this "Select * from table where column = "hello" "?

The way in which I usual I use prepareStatement object is something like this:

        String sql = "select * from adresa where column = ?";
        PreparedStatement pre = con.prepareStatement(sql);
        pre.setString(1, i);
        rs = pre.executeQuery();

Later Edit:

I don't understand. Pascal Thivent wrote that I can use the short version with In parameters, but Liu tells me this is not possible. :) Anw, using Pascal's version, i receive this error: void cannot be dereferenced

A: 

of course u can use a string variable for the query in which u put in ur dynamic data and run it.

rs = connection.prepareStatement(variable).executeQuery();

Sabeen Malik  2009-10-03 22:55:15
also if u want to do the dynamic replacing urself why not use 'statement' and executeUpdate()
Sabeen Malik  2009-10-03 22:56:55
statement has different performance characteristics than prepared statement.
Ken Liu  2009-10-03 22:57:35
@ken .. yes i always forget that one .. thank you for pointing that out :)
Sabeen Malik  2009-10-03 23:04:24
A: 

You can only use the first form if there are no bind variables (question marks) in the query. It's just a shortened version of what you posted.

Also, if you use the shortened form you won't have the opportunity to reuse the PreparedStatement object.

Ken Liu  2009-10-03 22:56:55
I don't understand. Pascal Thivent wrote that I can use the short version with In parameters, but you tell me this is not possible. :)Anw, using Pascal's version, i receive this error: void cannot be dereferenced
cc  2009-10-03 23:21:40
A: 

The long form is often, but prepared statements can be precompiled by the db, and if used properly will help prevent sql injection.

Connection conn = null;
ResultSet rs = null;
PreparedStatement ps = null;
try {
 conn = getConn();
 ps = conn.prepareStatement("select * from x where y = ? "); //note no sb.append()'s or +'s, to helps prevent sql injection
 ps.setLong(1, 12l);
 rs = ps.executeQuery();

 while (rs.next()) {
 ... act ...
 }
} catch ( Exception e) {
} finally {
 if (rs != null) rs.close(); 
 if (ps != null) ps.close();
 if (conn != null) conn.close();
}

Who said java was verbose. :)

Nathan Feger  2009-10-03 23:00:24

related questions

binding results into php array
Ways to enforce prepared statements
When *not* to use prepared statements?
How do I place an IN parameter with a LIKE with a RowSet?
Can you parameterize sort order in a sql server prepared statement?
Using JDBC, how can I substitute multiple IDs into "DELETE FROM T WHERE id IN (?)"
How do I use prepared statements in SQlite in Android?
Are there any illegal characters when using named parameters in JDBC?
Java Prepared Statement arguments!
Should I be using PreparedStatements for all my database inserts in Java?
How to set a list of integers while preparing SQL queries in Java
What is the best-practice for nesting PreparedStatements?
using nulls in a mysqli prepared statement
AddWithValue without DBType causing queries to run slowly
Wildcards in Java PreparedStatements
MySQL Prepared statements with a variable size variable list
Do MySQL prepared queries provide a performance benefit for once-per-session queries?
How do I bind an ArrayList to a PreparedStatement in Oracle?
Empty string in not-null column in MySQL?
How to use MySQL prepared statement caching?
Differences in prepared vs. direct statements using Oracle ODBC
Logging PreparedStatements in Java
Are Dynamic Prepared Statements Bad? (with php + mysqli)
Prepared Statement vs. Stored Procedure
What PHP / MySQL drivers or Database Abstraction Layers Support Prepared Statements?