Hi,
You should use a PreparedStatement for all but the most simple queries.
There are several reasons:
PreparedStatement allows you to bind parameters. You do not have to paste sql queries together, e.g.:
Statement:
"select myresult from mytable where myid = " + myId + " and myClass = '" + myClass + "'"
PreparedStarement:
"select myresult from mytable where myid = ? and myclass = ?"
PreparedStatement prevents sql injection (look this up on the web, lots of info to be found)
PreparedStatement takes care of escaping issues: Try to write a Statement query where you want to insert a
string with double quotes in it, like:
Tom says "How are you?"
If you execute a PreparedStatement twice, database recognises it as two times the same statement. Execution plan can be reused.
If you execute a Statement twice, with one value in the where clause different, database thinks it is a new query, and starts to analyse it all over.
As we know PreparedStatement are pre-compiled statement and hence the compile time will get reduced
Depends on your driver / database. This is not a given.