Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
The moose likes JDBC and Relational Databases and the fly likes java and database Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC and Relational Databases
Bookmark "java and database" Watch "java and database" New topic

java and database

nikhil govind
Ranch Hand

Joined: Mar 08, 2011
Posts: 31
what is the benefit of using preparestatement before executing the query than directly using execute query in java ?
speed is increased but is there a security benefit ?
Jeanne Boyarsky
author & internet detective

Joined: May 26, 2003
Posts: 33102

Yes. A prepared statement uses binding variables ("?"). The database driver escapes the strings passed to those variables. That way someone can't change your query to a different or destructive one. Search for "sql injection" for some examples.

[OCA 8 book] [Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Other Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, TOGAF part 1 and part 2
Paul Clapham

Joined: Oct 14, 2005
Posts: 19973

There's also the benefit that you don't have to write code which escapes quotes according to the rules of your specific database, and you don't need to write code which formats dates and timestamps according to those rules either.
nikhil govind
Ranch Hand

Joined: Mar 08, 2011
Posts: 31
thanks a lot Paul Clapham and Jeanne Boyarsky...
I agree. Here's the link:
subject: java and database
It's not a secret anymore!