Documente Academic
Documente Profesional
Documente Cultură
An Example
PreparedStatement is used to execute specific queries which are supposed to run
repeatedly, for example, SELECT * from Employees WHERE EMP_ID=?. This
query can be run multiple times to fetch details of different employees. If you
use PreparedStatementlike above than database assist in query preparation, which
is faster and more secure. Such kind of queries are compiled, and their query plans are
cached at database side to every time you execute it, you will get a faster response as
opposed to using simple queries via Statement object, like SELECT * from
Employees WHERE EMP_ID + emp_id.
The difference between the above two queries is place holder, I mean,
the "?" character, one is using String concatenation to create dynamic query while
PreparedStatement uses bind parameters to provide dynamic nature.
The string concatenation version also has security issue because it can be targeted with
SQL injection, but the placeholder version, i.e. which uses PreparedStatement provides
safety against SQL injection in Java.
In this article, you will learn how to use PreparedStatement to execute SQL query in
Java using JDBC API. You will also learn the pros and cons of using
PreparedStatement in Java. But, if you want to learn more about JDBC API and other
important APIs in Java then I suggest you take a look at The Complete Java
Masterclass on Udemy, one of the most comprehensive and up-to-date course on
Java.
2) Create SQL query with Placeholder, like SELECT * from STOCKS WHERE
TICKER=?
6) The previous step returns a ResultSet containing all the rows returned by SQL query.
Iterate through ResultSet and print data or create an object out of those data.
And, if you want to connect Microsoft SQL Server then you need sqljdbc4.jar. It
also depends upon which version of the database you are connecting. You also need
respective JDBC URL, username, and password to connect the database.
3) Connection.prepareStatement()
Create PreparedStatement object by calling Connection.prepareStatement() method
and passing the SQL created in previous steps.
PreparedStatement ps = con.prepareStatement(SQL);
If you are interested, you can further see Java Platform: Working with Databases Using
JDBC course on Pluarlsight to learn more about how to use these objects.
For example, if the placeholder is for a column of VARCHAR type than you need to call
the setString() method, if the placeholder is for a column of INT type than you need
to call the setInt() method.
ps.setString(1, "MSFT");
Remember, the first parameter is the index of placeholder, which starts at 1. For
example, if you have two placeholders then for setting value for the second placeholder,
you would have a need to call ps.setString(1, "GOOG");
If you call the setXXX() method with invalid index then you will get the index out of
range error as shown there.
ResultSet rs = ps.executeQuery();
This will return the ResultSet which contains all rows returned by the SQL query.
6) Iterate through ResultSet and print data or create an object out of those data.
Once you got the data in the client machine, you can do whatever you want to. You can
just print them if you are trying it out or you can create Java object by using those data.
In our case, we are just printing it out on console, as shown below:
while(rs.next()){
System.out.println(rs.getString(1));
}
ResultSet rs = ps.executeQuery();
while(rs.next()){
System.out.println(rs.getString(1));
}
3) PreparedStatement uses setXXX() method to set the data which also does type
verification at compile-time, like by calling setInt() you cannot pass a String.
That's all about how to use PreparedStatement in Java. You should use
PreparedSatement to encapsulate repeatedly running SQL queries, it's faster and
secure. If your query depends upon any user data, like emp_id coming as a request
parameter in Java Web application, you must use PreparedSatement to avoid SQL
injection in Java.