Geek Answers Handbook

Why is an “expression” required if the “prepared” expression is superior?

The Statement object, as I understand it, should not be used when developing enterprise applications, since it has all kinds of problems in a good application. Why is it not outdated in newer versions?

+4
source share
4 answers

Statement is a great interface. Which creates queries poorly by concatenating strings together, especially strings containing user input. If you only send persistent requests that do not contain variables, the simple Statement interface works just fine.

+3
source

Statement

Use to share your database. Useful when you use static SQL statements at runtime. The Statement interface cannot accept parameters.

The use of Statement in JDBC must be 100% localized for use in DDL (ALTER, CREATE, GRANT, etc.), since they are the only types of statements that cannot accept BIND VARIABLES.

PreparedStatement

Use when you plan to reuse SQL queries. The PreparedStatement interface accepts input parameters at run time.

PreparedStatements or CallableStatements should be used for EACH OTHER statement type (DML, Requests). Because these are types of operators that accept bind variables.

+2
source

The JDBC driver can handle SQL statements in different ways. In particular, at Oracle PreparedStatement wants to link any thing that it sees that looks like this: NAME.

This is problematic for Oracle Triggers, which uses the names NEW and OLD to represent new and old lines.

So, when you try to create an Oracle trigger using PreparedStatement, it will fail because nothing is related to: NEW /: OLD links.

To do this, you should use the usual call to Statement.execute ().

+1
source

Also PreparedStatement is safer than Statement.

Be careful when you use Statement, and you get input from the user and pass it directly to the request.

A user can hack your system using SQL Injection.

+1
source

More articles:


All Articles