Statement stmt = con.createStatement(); String query = "select * from table1 where col1="+str1; stmt.executeQuery(query);
I read that when I issue a executeQuery() or executeUpdate() method, stmt object sends the query to DBMS. Want to know where this will be compiled. I got this doubt , when I am reading the following line in sun's site.
"The main feature of a PreparedStatement object is that, unlike a Statement object, it is given an SQL statement when it is created. The advantage to this is that in most cases, this SQL statement will be sent to the DBMS right away, where it will be compiled. As a result, the PreparedStatement object contains not just an SQL statement, but an SQL statement that has been precompiled"
can you tell me the exact difference between stmt and prepared statement objects.
posted 11 years ago
this is the exact difference buddy.
PreparedStatement is precompiled. Statement is not.
Moreover, SQL injection doesn't work with PreparedStatement. it could work with Statement, until you yourself takecare of it.