aspose file tools*
The moose likes JDBC and the fly likes java and database Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Databases » JDBC
Bookmark "java and database" Watch "java and database" New topic
Author

java and database

nikhil govind
Ranch Hand

Joined: Mar 08, 2011
Posts: 31
what is the benefit of using preparestatement before executing the query than directly using execute query in java ?
speed is increased but is there a security benefit ?
Jeanne Boyarsky
internet detective
Marshal

Joined: May 26, 2003
Posts: 30537
    
150

Yes. A prepared statement uses binding variables ("?"). The database driver escapes the strings passed to those variables. That way someone can't change your query to a different or destructive one. Search for "sql injection" for some examples.


[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18570
    
    8

There's also the benefit that you don't have to write code which escapes quotes according to the rules of your specific database, and you don't need to write code which formats dates and timestamps according to those rules either.
nikhil govind
Ranch Hand

Joined: Mar 08, 2011
Posts: 31
thanks a lot Paul Clapham and Jeanne Boyarsky...
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: java and database