ofcourse 'PreparedStatement' is a solution for tackling the single chords, but remember 'PreparedStatement' is not meant for this purpose.
In best practice it is better to use 'PreparedStatement' only when your qry is executing frequently, or else better use 'Statement' , but you have to tackle the single chords in your string.
stu derby
Ranch Hand
Joined: Dec 15, 2005
Posts: 333
posted
0
Originally posted by seby mathew: ofcourse 'PreparedStatement' is a solution for tackling the single chords, but remember 'PreparedStatement' is not meant for this purpose.
In best practice it is better to use 'PreparedStatement' only when your qry is executing frequently, or else better use 'Statement' , but you have to tackle the single chords in your string.
That's wrong. You should use PreparedStatement for all INSERT/UPDATE/DELETE/SELECT statements that contain data values, most especially if the statement is going to contain user-supplied input, but even if not.
There are many reasons: 1) to protect against SQL-injection attacks 2) more efficient, even when the statement is re-executed with low frequency (possibly as low as once a week, depending on your database and your database load). 3) no problems with escaping single-quote characters 4) greatly reduces problems caused by implicit data-type conversions 5) easier to code and read the SQL; no chance of syntax errors caused by the mess of string concatenations, far far fewer logic errors from coding something other than what you meant.
At my company, when we interview a candidate for a job we give them a small programming problem. If they claim knowledge of JDBC and don't use PrepearedStatement at the appropriates places, we usually don't make them a job offer; we don't have time to train people out of bad and dangerous habits.
seby mathew
Greenhorn
Joined: Apr 19, 2006
Posts: 7
posted
0
There's a popular belief that using a PreparedStatement object is faster than using a Statement object. After all, a prepared statement has to verify its metadata against the database only once, while a statement has to do it every time. The truth of the matter is that it takes about 65 iterations of a prepared statement before its total time for execution catches up with a statement.
Because PreparedStatement objects are precompiled, their execution can be faster than that of Statement objects. Consequently, an SQL statement that is executed many times is often created as a PreparedStatement object to increase efficiency
- java.sun.com
'protection against SQL-injection attacks' is ofcourse an advantage but not the primary advantage.
this is not the right space to discuss the company policy
stu derby
Ranch Hand
Joined: Dec 15, 2005
Posts: 333
posted
0
Originally posted by seby mathew: There's a popular belief that using a PreparedStatement object is faster than using a Statement object. After all, a prepared statement has to verify its metadata against the database only once, while a statement has to do it every time. The truth of the matter is that it takes about 65 iterations of a prepared statement before its total time for execution catches up with a statement.
That widely cited performance test (using Oracle) has a major bug in it and was totally discredited years ago; it was actually comparing the time to execute a set of Statements with the time to load the PreparedStatement class plus execute the same sized set of PreparedStatements. Class loading time is very significant, so it was an "apples to oranges" test that gives wrong and misleading results.
In fact, when the test is done correctly, executing a single PreparedStatement is about as fast as a single Statement, and after that, PreparedStatement is faster (on Oracle). A quick summary of results:
Because PreparedStatement objects are precompiled, their execution can be faster than that of Statement objects. Consequently, an SQL statement that is executed many times is often created as a PreparedStatement object to increase efficiency
- java.sun.com
When it comes to Oracle database performance, I would rather believe Tom Kyte, a VP at Oracle and the author of my above-cited link to anything Sun has to say.
'protection against SQL-injection attacks' is ofcourse an advantage but not the primary advantage.
I don't know how you rate something "primary", but I consider preventing unauthorized use or even unauthorized destruction of data by strangers on the Internet pretty important.
this is not the right space to discuss the company policy
Using PreparedStatement correctly is important enough that a company that has been using JDBC extensively for 7 years considers the inappropriate use of Statement as a warning sign when making hiring decisions.
I agree. Here's the link: http://ej-technologies/jprofiler - if it wasn't for jprofiler, we would need to
run our stuff on 16 servers instead of 3.
0
