stackoom
  简体   繁体   中英

Which way is better for update database record?

 原文  2013-08-19 21:16:44       java/ jdbc

Question

I have two method for update: 

String query = "update mytable set name = 'new_value' where id ='20' ";
Connection conn;
PreparedStatement pState;
try {
    conn = DriverManager.getConnection(dbUrl, "root", "2323");
    pState = conn.prepareStatement(query);
    pState.executeUpdate();
} catch (SQLException sql) {
    sql.printStackTrace();
}

OR: 

String query = "update mytable set name = ?" + "where id = ?";
Connection conn;
PreparedStatement pState;
int s;
try {
    conn = DriverManager.getConnection(dbUrl, "root", "2323");
    pState = conn.prepareStatement(query);
    pState.setStringt(1, "new_value");
    pState.setString(2, "20");
    s = pState.executeUpdate();       // if s = 1 then update done successfully
} catch (SQLException sql) {
    sql.printStackTrace();
}

Both methods update database record correctly, Which is better?

3 answers

solution1
 3  2013-08-19 21:17:40

Second approach is good practice to avoid S QL Injection attacks .

And following is enough to construct query String, another + concatenation is not required. 

 String query = "update mytable set name = ? where id = ?";

solution2
 1 ACCPTED  2013-08-19 21:19:08

I would say the second approach.

You aren't returning anything, so why create a result set and go down that path?

Edit:

Even after your comment, I would still use the second template. It's more flexible. Additionally, it's faster. The PreparedStatement is pre-compiled in the database which allows the database to execute a parametric query using the statement faster than a normal query. This won't happen if you use string concatenation (like in your first example).

See: http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html

Additionally, from that page:

The main feature of a PreparedStatement object is that, unlike a Statement object, it is given a SQL statement when it is created. The advantage to this is that in most cases, this SQL statement is sent to the DBMS right away, where it is compiled. As a result, the PreparedStatement object contains not just a SQL statement, but a SQL statement that has been precompiled. This means that when the PreparedStatement is executed, the DBMS can just run the PreparedStatement SQL statement without having to compile it first.

Although PreparedStatement objects can be used for SQL statements with no parameters, you probably use them most often for SQL statements that take parameters. The advantage of using SQL statements that take parameters is that you can use the same statement and supply it with different values each time you execute it.

solution3
 1  2013-08-19 21:19:45

The second way is more faster if you use frequently the same query. Depends of the database vendor, the query is cached and the efficiency is higher than that using flat sentences. But all that depends on the implementation of the JDBC driver and the services provided by the database.

See more in Using Prepared Statements in the The Java Tutorials .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Is there a better way to swap/update an ArrayList which is inside a Map for Java? which way is better in java? Which method is better for updating database? Which way is better for exception handling java thread which is better way? Which Way of List Initialize Is Better which is better way to casting in java Is there a better way to update UI periodically Unable to update database record in MySQL Update a record value in java database
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM