The Statement object, as I understand, is not to be used in developing Enterprise applications as it has all sorts of issues in a good application. Why has it not been deprecated yet in newer versions?
Asked
Active
Viewed 93 times
4
-
Welcome to Stackoverflow! It sounds like you are talking about SQL statements. Which programming language and which database access technology are you referring to? – Joni Sep 25 '13 at 17:48
-
I am referring to Java Statement,Prepared Statements that one uses in JDBC connection. – Rahul_tcs Sep 25 '13 at 17:53
-
1Take a look at http://stackoverflow.com/a/3385295/1541533 – Diogo Moreira Sep 25 '13 at 17:58
4 Answers
3
Statement is a perfectly fine interface. What's bad is creating queries by concatenating strings together, especially strings containing user input. If you're only issuing constant queries containing no variables, the simple Statement interface serves perfectly well.
Ernest Friedman-Hill
- 80,601
- 10
- 150
- 186
2
Statement
Use for general-purpose access to your database. Useful when you are using static SQL statements at runtime. The Statement interface cannot accept parameters.
The use of a Statement in JDBC should be 100% localized to being used for DDL (ALTER, CREATE, GRANT, etc) as these are the only statement types that cannot accept BIND VARIABLES.
PreparedStatement
Use when you plan to use the SQL statements many times. The PreparedStatement interface accepts input parameters at runtime.
PreparedStatements or CallableStatements should be used for EVERY OTHER type of statement (DML, Queries). As these are the statement types that accept bind variables.
Yellow Flash
- 862
- 2
- 10
- 29
-
Seems a little excessive, like corporate style guides run amok; why should we use `PreparedStatement` for "`SELECT COUNT(*) FROM USERS`" ? – Ernest Friedman-Hill Sep 25 '13 at 18:32
1
The JDBC driver can treat the SQL statements differently. Specifically, in Oracle, PreparedStatement wants to bind any thing it sees that looks like :NAME.
This is problematic for Oracle Triggers, which uses the :NEW and :OLD names to represent the new and old rows.
So, when you try to create an Oracle Trigger, using a PreparedStatement, it will fail because nothing is bound to the references of :NEW / :OLD.
You must use a normal Statement.execute() call to do this instead.
Will Hartung
- 115,893
- 19
- 128
- 203
1
Also PreparedStatement is more secure than Statement.
Take care when you are using Statement and you get input from the user and pass it to the query directly.
User can hack on your system using SQL Injection .
Shaban Mousa
- 154
- 1
- 2
- 8