tags:

views:

81

answers:

5
Q: 

Difference between Statement and PreparedStatement

The Prepared Statement is a slightly more powerful version of a Statement, and should always be at least as quick and easy to handle as a Statement.
The Prepared Statement may be parametrized

Most relational databases handles a JDBC / SQL query in four steps:
1.Parse the incoming SQL query
2. Compile the SQL query
3. Plan/optimize the data acquisition path
4. Execute the optimized query / acquire and return data

A Statement will always proceed through the four steps above for each SQL query sent to the database. A Prepared Statement pre-executes steps (1) - (3) in the execution process above. Thus, when creating a Prepared Statement some pre-optimization is performed immediately. The effect is to lessen the load on the database engine at execution time.

Now my question is that - "Is any other advantage of using Prepared Statement?"

Thanks In Advance.

+3  A: 

PreparedStatement is a very good defense (but not foolproof) in preventing SQL injection attacks. Binding parameter values is a good way to guarding against "little Bobby Tables" making an unwanted visit.

duffymo  2010-07-17 12:05:09
How would one perform SQL injection through a prepared statement then?
Michael Borgwardt  2010-07-17 12:17:24
Michael, Variables passed as arguments to prepared statements will automatically be escaped by the JDBC driver.
stackoverflowBee  2010-07-17 19:09:21
Can you give an example of how a SQL injection attack would work against a prepared statement? Are you assuming a bug in the database code?
Peter Recore  2010-07-17 22:50:41
No, not a bug. I don't have a specific scenario, but I am thinking of other responses to this very problem posted on this site. Others have said prepared statement is necessary but not 100% sufficient. It's not a guarantee that SQL injection cannot be done. For example, binding a parameter as a valid string, without checking to make sure that no SQL statements were appended, could leave the app open to attack.
duffymo  2010-07-18 16:23:03
+1  A: 

nothing much to add,

1 - if you want to execute a query in a loop (more than 1 time), prepared statement can be faster, because of optimization that you mentioned.

2 - parameterized query is a good way to avoid SQL Injection, that is only available in PreparedStatement.

mohammad shamsi  2010-07-17 12:13:28
+1  A: 

Advantages of a PreparedStatement:

  1. Precompilation and DB-side caching leads to faster execution (already mentioned by you).
  2. Prevention of SQL injection attacks (already mentioned by duffymo).
  3. Eases setting of non-standard Java objects in a SQL string, e.g. Date, Time, Timestamp, BigDecimal, InputStream (Blob) and Reader (Clob). You could even refactor it all to using PreparedStatement#setObject() inside a loop on a List<Object> or Object[]. On most of those types you can't "just" do a toString() in a simple Statement.
BalusC  2010-07-17 21:37:07
+1  A: 

Can't do CLOBs in a Statement.

And: (OraclePreparedStatement) ps

orbfish  2010-07-19 20:54:22
A: 
  • It's easier to read
  • You can easily make the query string a constant
nanda  2010-09-13 13:01:15

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java