Difference between Statement and PreparedStatement

前端 未结 15 1128
野的像风
野的像风 2020-11-22 02:49

The Prepared Statement is a slightly more powerful version of a Statement, and should always be at least as quick and easy to handle as a Statement.
The Prepared Stateme

相关标签:
15条回答
  • 2020-11-22 02:58

    Advantages of a PreparedStatement:

    • Precompilation and DB-side caching of the SQL statement leads to overall faster execution and the ability to reuse the same SQL statement in batches.

    • Automatic prevention of SQL injection attacks by builtin escaping of quotes and other special characters. Note that this requires that you use any of the PreparedStatement setXxx() methods to set the values

      preparedStatement = connection.prepareStatement("INSERT INTO Person (name, email, birthdate, photo) VALUES (?, ?, ?, ?)");
      preparedStatement.setString(1, person.getName());
      preparedStatement.setString(2, person.getEmail());
      preparedStatement.setTimestamp(3, new Timestamp(person.getBirthdate().getTime()));
      preparedStatement.setBinaryStream(4, person.getPhoto());
      preparedStatement.executeUpdate();
      

      and thus don't inline the values in the SQL string by string-concatenating.

      preparedStatement = connection.prepareStatement("INSERT INTO Person (name, email) VALUES ('" + person.getName() + "', '" + person.getEmail() + "'");
      preparedStatement.executeUpdate();
      
    • Eases setting of non-standard Java objects in a SQL string, e.g. Date, Time, Timestamp, BigDecimal, InputStream (Blob) and Reader (Clob). On most of those types you can't "just" do a toString() as you would do in a simple Statement. You could even refactor it all to using PreparedStatement#setObject() inside a loop as demonstrated in the utility method below:

      public static void setValues(PreparedStatement preparedStatement, Object... values) throws SQLException {
          for (int i = 0; i < values.length; i++) {
              preparedStatement.setObject(i + 1, values[i]);
          }
      }
      

      Which can be used as below:

      preparedStatement = connection.prepareStatement("INSERT INTO Person (name, email, birthdate, photo) VALUES (?, ?, ?, ?)");
      setValues(preparedStatement, person.getName(), person.getEmail(), new Timestamp(person.getBirthdate().getTime()), person.getPhoto());
      preparedStatement.executeUpdate();
      
    0 讨论(0)
  • 2020-11-22 02:58

    Statement is static and prepared statement is dynamic.

    Statement is suitable for DDL and prepared statment for DML.

    Statement is slower while prepared statement is faster.

    more differences (archived)

    0 讨论(0)
  • 2020-11-22 02:58

    Can't do CLOBs in a Statement.

    And: (OraclePreparedStatement) ps

    0 讨论(0)
  • 2020-11-22 02:58

    As Quoted by mattjames

    The use of a Statement in JDBC should be 100% localized to being used for DDL (ALTER, CREATE, GRANT, etc) as these are the only statement types that cannot accept BIND VARIABLES. PreparedStatements or CallableStatements should be used for EVERY OTHER type of statement (DML, Queries). As these are the statement types that accept bind variables.

    This is a fact, a rule, a law -- use prepared statements EVERYWHERE. Use STATEMENTS almost no where.

    0 讨论(0)
  • 2020-11-22 03:01

    sql injection is ignored by prepared statement so security is increase in prepared statement

    0 讨论(0)
  • 2020-11-22 03:03

    PreparedStatement is a very good defense (but not foolproof) in preventing SQL injection attacks. Binding parameter values is a good way to guarding against "little Bobby Tables" making an unwanted visit.

    0 讨论(0)
提交回复
热议问题