Hello,
In my web app I have Data Fetches in DAO Methods. Those are plain Select querries with different 'where' clause and values depending on input to the DAO Method. I build Where part depending on what input I get.( for example: if user wantes to get customer by giving ID then query becomes:
select fld1, fld2, fld3 from customer where id = "someID"
if user wantes to get customer by giving name then query becomes:
select fld1, fld2, fld3 from customer where name = "inName")
So each time this DAO method is executed, it may have different querry to execute. This query is not in a loop (unlike where multiple inserts or updates would be)
Each time I return from method, I close statement and then connection (which is thr' a connection pool).
In this situation, does it buy me performance (or any other thing) if I use PreparedStatement or I will be better off with simple Statement??
Thanks,
P.I.
-
PreparedStatement - to use or not to use (4 messages)
- Posted by: P I
- Posted on: May 20 2005 10:40 EDT
Threaded Messages (4)
- PreparedStatement - to use or not to use by Nils Kilden-Pedersen on May 20 2005 13:50 EDT
- PreparedStatement - to use or not to use by P I on May 20 2005 14:30 EDT
- PreparedStatement - to use or not to use by Andreas Berg on August 05 2005 03:00 EDT
- Re: PreparedStatement - to use or not to use by J Dev on August 27 2007 00:30 EDT
-
PreparedStatement - to use or not to use[ Go to top ]
- Posted by: Nils Kilden-Pedersen
- Posted on: May 20 2005 13:50 EDT
- in response to P I
Always use PreparedStatements to prevent SQL injection, particularly in a web application.
To ease your JDBC pain, have you tried O/R Broker, which provides you with externalized SQL, named parameters, and automatic mapping to your Java objects? -
PreparedStatement - to use or not to use[ Go to top ]
- Posted by: P I
- Posted on: May 20 2005 14:30 EDT
- in response to Nils Kilden-Pedersen
I am looking at it.Thanks for your suggestion.
P.I. -
PreparedStatement - to use or not to use[ Go to top ]
- Posted by: Andreas Berg
- Posted on: August 05 2005 03:00 EDT
- in response to P I
Your application server should have a cache for prepared statements, as well as the database might cache some optimizations itself when using prepared statements. So the advantage of using prepared statements is not only present when you do queries in a loop or something, but also when you use the same query several times in the lifetime of an application.
Having "the same query" is independent of the data ("someID"), it is just the sql execution order and stuff like this that is optimized.
So my suggestion is to always use a prepared statement unless you are sure that the query is only used once in the lifetime of an application.
Kind regards,
Andreas Berg, Triona -
Re: PreparedStatement - to use or not to use[ Go to top ]
- Posted by: J Dev
- Posted on: August 27 2007 00:30 EDT
- in response to P I
Hello,
With simple statement there is always danger of sql injection. always use preparedstatement. you can try out NamedParametersStatement
In my web app I have Data Fetches in DAO Methods. Those are plain Select querries with different 'where' clause and values depending on input to the DAO Method. I build Where part depending on what input I get.( for example: if user wantes to get customer by giving ID then query becomes:
select fld1, fld2, fld3 from customer where id = "someID"
if user wantes to get customer by giving name then query becomes:
select fld1, fld2, fld3 from customer where name = "inName")
So each time this DAO method is executed, it may have different querry to execute. This query is not in a loop (unlike where multiple inserts or updates would be)
Each time I return from method, I close statement and then connection (which is thr' a connection pool).
In this situation, does it buy me performance (or any other thing) if I use PreparedStatement or I will be better off with simple Statement??
Thanks,
P.I.