How does Java's PreparedStatement work?

java prepared-statement jdbc

I am planning to replace repeatedly executed Statement objects with PreparedStatement objects to improve performance. I am using arguments like the MySQL function now(), and string variables.

Most of the PreparedStatement queries I have seen contained constant values (like 10, and strings like "New York") as arguments used for the ? in the queries. How would I go about using functions like now(), and variables as arguments? Is it necessary to use the ?s in the queries instead of actual values? I am quite confounded.


If you have a variable that comes from user input, it's essential that you use the ? rather than concatenating the strings. Users might enter a string maliciously, and if you drop the string straight into SQL it can run a command you didn't intend.

I realise this one is overused, but it says it perfectly:

Little Bobby Tables


If you have variables use the '?'

int temp = 75;
PreparedStatement pstmt = con.prepareStatement(
    "UPDATE test SET num = ?, due = now() ");
pstmt.setInt(1, temp); 
pstmt.executeUpdate():

Produces an sql statment that looks like:

UPDATE test SET num = 75, due = now();

Related

Syscall implementation of exit()
Mac OSX - IllegalStateException: The driver is not executable:
How can I select an nth child without knowing the parent element?
What is the proper OpenGL initialisation on Intel HD 3000?
css skew element and get inner rounded border top
how to detect whether VBA excel found something?
How to transfer the formatted date string from my DatePickerFragment?
How can I use jQuery to style /parts/ of all instances of a specific word?
Linux default behavior of executable .data section changed between 5.4 and 5.9?
java.lang.IllegalStateException: Not on FX application thread; currentThread = Thread-4
Idiomatic Type Conversion in Go
Need of Pointer to pointer