Difference between Statement and PreparedStatement

前端 未结 15 1129
野的像风
野的像风 2020-11-22 02:49

The Prepared Statement is a slightly more powerful version of a Statement, and should always be at least as quick and easy to handle as a Statement.
The Prepared Stateme

相关标签:
15条回答
  • 2020-11-22 03:17

    I followed all the answers of this question to change a working legacy code using - Statement ( but having SQL Injections ) to a solution using PreparedStatement with a much slower code because of poor understanding of semantics around Statement.addBatch(String sql) & PreparedStatement.addBatch().

    So I am listing my scenario here so others don't make same mistake.

    My scenario was

    Statement statement = connection.createStatement();
    
    for (Object object : objectList) {
        //Create a query which would be different for each object 
        // Add this query to statement for batch using - statement.addBatch(query);
    }
    statement.executeBatch();
    

    So in above code , I had thousands of different queries, all added to same statement and this code worked faster because statements not being cached was good & this code executed rarely in the app.

    Now to fix SQL Injections, I changed this code to ,

    List<PreparedStatement> pStatements = new ArrayList<>();    
    for (Object object : objectList) {
        //Create a query which would be different for each object 
        PreparedStatement pStatement =connection.prepareStatement(query);
        // This query can't be added to batch because its a different query so I used list. 
        //Set parameter to pStatement using object 
        pStatements.add(pStatement);
    }// Object loop
    // In place of statement.executeBatch(); , I had to loop around the list & execute each update separately          
    for (PreparedStatement ps : pStatements) {
        ps.executeUpdate();
    }
    

    So you see, I started creating thousands of PreparedStatement objects & then eventually not able to utilize batching because my scenario demanded that - there are thousands of UPDATE or INSERT queries & all of these queries happen to be different.

    Fixing SQL injection was mandatory at no cost of performance degradation and I don't think that it is possible with PreparedStatement in this scenario.

    Also, when you use inbuilt batching facility, you have to worry about closing only one Statement but with this List approach, you need to close statement before reuse , Reusing a PreparedStatement

    0 讨论(0)
  • 2020-11-22 03:19

    Statement will be used for executing static SQL statements and it can't accept input parameters.

    PreparedStatement will be used for executing SQL statements many times dynamically. It will accept input parameters.

    0 讨论(0)
  • 2020-11-22 03:20

    nothing much to add,

    1 - if you want to execute a query in a loop (more than 1 time), prepared statement can be faster, because of optimization that you mentioned.

    2 - parameterized query is a good way to avoid SQL Injection. Parameterized querys are only available in PreparedStatement.

    0 讨论(0)
提交回复
热议问题