预处理语句是Statement的一个稍微强大一点的版本,并且应该总是至少像Statement一样快速和容易处理。 预估报表可以被参数化
大多数关系数据库处理JDBC / SQL查询分为四个步骤:
解析传入的SQL查询 编译SQL查询 规划/优化数据采集路径 执行优化的查询/获取和返回数据
对于发送到数据库的每个SQL查询,Statement将始终执行上述四个步骤。预处理语句预先执行上述执行过程中的步骤(1)-(3)。因此,在创建准备语句时,会立即执行一些预优化。其效果是在执行时减轻数据库引擎的负载。
现在我的问题是:
“使用预准备报表还有其他好处吗?”
当前回答
PreparedStatement相对于Statement的一些好处是:
PreparedStatement helps us in preventing SQL injection attacks because it automatically escapes the special characters. PreparedStatement allows us to execute dynamic queries with parameter inputs. PreparedStatement provides different types of setter methods to set the input parameters for the query. PreparedStatement is faster than Statement. It becomes more visible when we reuse the PreparedStatement or use it’s batch processing methods for executing multiple queries. PreparedStatement helps us in writing object Oriented code with setter methods whereas with Statement we have to use String Concatenation to create the query. If there are multiple parameters to set, writing Query using String concatenation looks very ugly and error prone.
阅读更多关于SQL注入问题,请访问http://www.journaldev.com/2489/jdbc-statement-vs-preparedstatement-sql-injection-example
其他回答
PreparedStatement相对于Statement的一些好处是:
PreparedStatement helps us in preventing SQL injection attacks because it automatically escapes the special characters. PreparedStatement allows us to execute dynamic queries with parameter inputs. PreparedStatement provides different types of setter methods to set the input parameters for the query. PreparedStatement is faster than Statement. It becomes more visible when we reuse the PreparedStatement or use it’s batch processing methods for executing multiple queries. PreparedStatement helps us in writing object Oriented code with setter methods whereas with Statement we have to use String Concatenation to create the query. If there are multiple parameters to set, writing Query using String concatenation looks very ugly and error prone.
阅读更多关于SQL注入问题,请访问http://www.journaldev.com/2489/jdbc-statement-vs-preparedstatement-sql-injection-example
准备语句忽略SQL注入,提高了准备语句的安全性
语句接口执行不带参数的静态SQL语句
PreparedStatement接口(扩展Statement)执行预编译的带/不带参数的SQL语句
对于重复执行有效 它是预编译的,所以更快
不要混淆:只要记住
Statement is used for static queries like DDLs i.e. create,drop,alter and prepareStatement is used for dynamic queries i.e. DML query. In Statement, the query is not precompiled while in prepareStatement query is precompiled, because of this prepareStatement is time efficient. prepareStatement takes argument at the time of creation while Statement does not take arguments. For Example if you want to create table and insert element then :: Create table (static) by using Statement and Insert element (dynamic)by using prepareStatement.
这样更容易阅读 您可以轻松地将查询字符串设置为常量
