K. Tsang wrote:Are you using store procedures to return the result set? If not, a PreparedStatement is better.
Here's more info on why a
PreparedStatement with bind variables is better.
...
As compared to executing SQL statements directly, prepared statements offer two main advantages:[1]
The overhead of compiling and optimizing the statement is incurred only once, although the statement is executed multiple times. Not all optimization can be performed at the time the prepared statement is compiled, for two reasons: the best plan may depend on the specific values of the parameters, and the best plan may change as tables and indexes change over time.[2]Prepared statements are resilient against SQL injection, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.
...
I suspect there's probably still some super-hacker trick to get around the
SQL-injection protection here, but it's a lot safer than using plain SQL strings.