发表新帖
发表新帖

Difference between Statement and PreparedStatement

前端 未结
关注
15 1104
野的像风
野的像风 2020-11-22 02:49

The Prepared Statement is a slightly more powerful version of a Statement, and should always be at least as quick and easy to handle as a Statement.
The Prepared Stateme

相关标签:
15条回答
  • 醉梦人生
    2020-11-22 02:58

    Advantages of a PreparedStatement:

    • Precompilation and DB-side caching of the SQL statement leads to overall faster execution and the ability to reuse the same SQL statement in batches.

    • Automatic prevention of SQL injection attacks by builtin escaping of quotes and other special characters. Note that this requires that you use any of the PreparedStatement setXxx() methods to set the values 

      preparedStatement = connection.prepareStatement("INSERT INTO Person (name, email, birthdate, photo) VALUES (?, ?, ?, ?)");
preparedStatement.setString(1, person.getName());
preparedStatement.setString(2, person.getEmail());
preparedStatement.setTimestamp(3, new Timestamp(person.getBirthdate().getTime()));
preparedStatement.setBinaryStream(4, person.getPhoto());
preparedStatement.executeUpdate();

      and thus don't inline the values in the SQL string by string-concatenating.

      preparedStatement = connection.prepareStatement("INSERT INTO Person (name, email) VALUES ('" + person.getName() + "', '" + person.getEmail() + "'");
preparedStatement.executeUpdate();

    • Eases setting of non-standard Java objects in a SQL string, e.g. Date, Time, Timestamp, BigDecimal, InputStream (Blob) and Reader (Clob). On most of those types you can't "just" do a toString() as you would do in a simple Statement. You could even refactor it all to using PreparedStatement#setObject() inside a loop as demonstrated in the utility method below:

      public static void setValues(PreparedStatement preparedStatement, Object... values) throws SQLException {
    for (int i = 0; i < values.length; i++) {
        preparedStatement.setObject(i + 1, values[i]);
    }
}

      Which can be used as below:

      preparedStatement = connection.prepareStatement("INSERT INTO Person (name, email, birthdate, photo) VALUES (?, ?, ?, ?)");
setValues(preparedStatement, person.getName(), person.getEmail(), new Timestamp(person.getBirthdate().getTime()), person.getPhoto());
preparedStatement.executeUpdate();
    0 讨论(0)
  • 不思量自难忘°
    2020-11-22 02:58

    Statement is static and prepared statement is dynamic.

    Statement is suitable for DDL and prepared statment for DML.

    Statement is slower while prepared statement is faster.

    more differences (archived)

    0 讨论(0)
  • 半阙折子戏
    2020-11-22 02:58

    Can't do CLOBs in a Statement.

    And: (OraclePreparedStatement) ps

    0 讨论(0)
  • 南旧
    2020-11-22 02:58

    As Quoted by mattjames

    The use of a Statement in JDBC should be 100% localized to being used for DDL (ALTER, CREATE, GRANT, etc) as these are the only statement types that cannot accept BIND VARIABLES. PreparedStatements or CallableStatements should be used for EVERY OTHER type of statement (DML, Queries). As these are the statement types that accept bind variables.

    This is a fact, a rule, a law -- use prepared statements EVERYWHERE. Use STATEMENTS almost no where.

    0 讨论(0)
  • 一整个雨季
    2020-11-22 03:01

    sql injection is ignored by prepared statement so security is increase in prepared statement

    0 讨论(0)
  • 臣服心动
    2020-11-22 03:03

    PreparedStatement is a very good defense (but not foolproof) in preventing SQL injection attacks. Binding parameter values is a good way to guarding against "little Bobby Tables" making an unwanted visit.

    0 讨论(0)
 看不清?
提交回复
热议问题