• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

java and database

 
nikhil govind
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
what is the benefit of using preparestatement before executing the query than directly using execute query in java ?
speed is increased but is there a security benefit ?
 
Jeanne Boyarsky
author & internet detective
Marshal
Posts: 34237
341
Eclipse IDE Java VI Editor
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Yes. A prepared statement uses binding variables ("?"). The database driver escapes the strings passed to those variables. That way someone can't change your query to a different or destructive one. Search for "sql injection" for some examples.
 
Paul Clapham
Sheriff
Posts: 21002
31
Eclipse IDE Firefox Browser MySQL Database
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
There's also the benefit that you don't have to write code which escapes quotes according to the rules of your specific database, and you don't need to write code which formats dates and timestamps according to those rules either.
 
nikhil govind
Ranch Hand
Posts: 31
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
thanks a lot Paul Clapham and Jeanne Boyarsky...
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic