How does prepared statement work in Java?

Question

What is prepared statement good for. I read is good for performance when you execute same sql query multiple times just with different values.

//Line 1
ps = c.prepareStatement("INSERT INTO STUDENT VALUES (?, ?)"); 

So here I created a prepared statement. Will this be sent to the database and stay there? Then I only have to send the values to database. Right??

//This is created only once 
//Once created, the PreparedStatement is compiled automatically.    
ps.setInt(1, 111);   
ps.setString(2, "Bob");   
ps.executeUpdate();

Here I set the values which are sent to database without the actual query. Right?

Answer 1

They have two purposes. The one you stated, but that's a very minor benefit. It is, in fact, not guaranteed at all; a JDBC driver is free to just 'fill in the blanks', so to speak, and send the SQL otherwise verbatim to the DB layer every time. If your DB engine supports precompiling SQL statements, then PreparedStatement is how to get this benefit, but a JDBC driver does not have to support this (but it must support PreparedStatement; it implement it without precompiling anything, though). Besides, if you're looking for a 'bulk' job (do the same thing many many times), often there are better tools available. For example, if you want to insert 1 million records into a table, there are far more efficient ways than just.. create a prepared statement, and rerun it with different set values a million times. You'd turn off all constraint checking and index updating, and/or COPY or some other bulk insertion process specifically designed for this, then turn checks and indices back on.

No, the 99%+ reason to use PreparedStatement over Statement is security .

Statement is not secure.

imagine this one:

String name = getNameFromWebForm();
String id = getNextAvailableStudentId();
connection.executeUpdate("INSERT INTO STUDENT (name, id) VALUES ('" + name + "', '" + id + "');");

and now some enterprising clown decides to try this name on for size:

Alicia', '1'); DROP TABLE STUDENT; EXEC 'rm -rf /*'; --

As in, they literally type all that jazz (or more likely paste it) into the web form that reads: "Name:". With the quotes and the dashes and the semicolons, all of it.

They click 'form submit' and a few moments later the table is deleted and with some luck the entire server disk is obliterated.

You can't solve this by going: Eh, no prob, I'll just find quotes and eliminate them; you have no idea what the DB does and does not allow for quoting and the like, maybe this DB allows backquotes. Maybe this one allows unicode escapes. The only party that knows is the JDBC driver and the database, and you unlock their abilities to escape things by using PreparedStatement .

TL;DR: Anytime you have 'parameters' in your query, you MUST use PreparedStatement.