Differences between PreparedStatement and statement 1. PreparedStatement is pre-compiled, which greatly improves the efficiency of batch processing. It is also called JDBC Stored Procedure 2. It uses Statement objects. When only one-time access is performed to the database, the Statement object is used for processing. The overhead of the PreparedStatement object is greater than that of the Statement object, which does not bring additional benefits to one-time operations. 3. Each time statement executes an SQL statement, the relevant database must compile the SQL statement. preparedstatement is pre-compiled. preparedstatement supports batch processing. 4. Code Fragment 1: www.2cto.com String updateString = "update coffees set sales = 75" + "WHERE COF_NAME LIKE 'Colombian'" using stmt.exe cuteUpdate (updateString); Code Fragment 2: PreparedStatement updateSales = con. prepareStatement ("update coffees set sales =? WHERE COF_NAME LIKE? "); UpdateSales. setInt (1, 75); updateSales. setString (2, "Colombian" );updateSales.exe cuteUpdate (); the difference between Segment 2 and segment 1 is that the latter uses the PreparedStatement object, while the former is a common Statement object. The PreparedStatement object not only contains the SQL statement, but also has been pre-compiled in most cases. Therefore, when executing the statement, you only need to run the SQL statement in the DBMS instead of compiling it first. When you need to execute the Statement object multiple times, the PreparedStatement object will greatly reduce the running time and, of course, speed up database access.
This conversion also brings you great convenience. You do not have to repeat the syntax of SQL statements. Instead, you only need to change the value of the variable to execute the SQL statement again. Whether the PreparedStatement object is selected depends on whether the SQL statements with the same syntax are executed multiple times, and the difference between the two statements is only the difference between variables. If it is executed only once, it should be no different from ordinary objects, and it does not reflect the superiority of its pre-compilation. 5. JDBC programs that execute many SQL statements generate a large number of Statement and PreparedStatement objects. The PreparedStatement object is generally considered to be more effective than the Statement object, especially when the same SQL Statement with different parameters is executed multiple times. The PreparedStatement object allows the database to pre-compile SQL statements, saving time and increasing code readability in subsequent operations. However, in the Oracle environment, developers actually have more flexibility. When Statement or PreparedStatement object is used, the Oracle database caches SQL statements for later use. In some cases, execution of the PreparedStatement object takes a longer time because the drive itself requires additional processing and added network activity between the Java application and the Oracle server. However, in addition to buffering, there is at least one better reason for us to prefer PreparedStatement objects in enterprise applications, that is, security. Parameters passed to the PreparedStatement object can be forcibly converted, so that developers can ensure that they match the underlying database format when inserting or querying data. When processing data from users on a public Web site, security issues become extremely important. The string parameter passed to PreparedStatement is automatically ignored by the drive. In the simplest case, this means that when your program tries to insert the string "D 'Angelo" into VARCHAR2, this statement will not recognize the first ",", this leads to a miserable failure. There is almost no need to create your own strings to ignore the code. In the Web environment, malicious users use applications that are poorly designed and cannot correctly process strings. Especially on public websites, all user input should not be passed to SQL statements without PreparedStatement object processing. In addition, SQL statements should not be displayed when users have the opportunity to modify SQL statements, such as HTML hidden areas or a query string. Www.2cto.com 6. Generally, I am used to using PreparedStatement to operate databases. PreparedStatement is a pre-compiled method, which requires higher efficiency when executing SQL statements. In addition, PreparedStatement can better avoid SQL Injection problems. When splicing SQL statements, the use of PreparedStatement can effectively reduce the probability of errors. PreparedStatement is a subclass of Statement. Naturally, PreparedStatement extends the Statement and improves the performance. Author chow _ zh