Originally posted by Anurag Gupta:
You can use Statements for various queries to add in the batch. However 2 things to be considered :
1) Performance while using Statements.
2) If there are any user inputs (in the query) from the front end, like posting a HTML Form. Then there is a possibility of SQL Injection,and the application security can be compromised. SQL Injection is easily possible if u r using Statements, but not so easy with PreparedStatement.
Not sure what you are saying for consideration 1. Performance is largely dependent on the driver implementation. For Performance using the Oracle drivers, have a look at
Java Programming with Oracle JDBC, Chapter 19 - Performance. Even if you are not using Oracle's driver/database, it is a good benchmark for
JDBC performance in a general sense as well.
regarding consideration 2, this is more a product of sloppy programming practices, than a deficiency in the Statement/JDBC implementations. If you are wondering what SQL injection is, have a read of
Application-Level Attacks ( on Oracle ).
Jamie