A PreparedStatement in Java is an interface provided by the Java Database Connectivity (JDBC) API that represents a precompiled SQL statement. It is used to execute SQL queries efficiently and securely, especially when working with dynamic inputs, by preventing SQL injection and improving performance for repeated queries.
PreparedStatements are primarily used for queries where the same SQL statement is executed multiple times with different input values. This makes them a powerful tool for developers working with databases in Java applications.
Key Features of PreparedStatement
- Precompiled SQL Statements: The SQL query is compiled once and can be executed multiple times with different parameters, reducing the overhead of query parsing.
- Parameterized Queries: Use placeholders (
?) for parameters, which are replaced with actual values at runtime. - Prevents SQL Injection: Automatically escapes user inputs, making queries secure against SQL injection attacks.
- Supports Both Queries and Updates: Can execute both SELECT queries and DML operations like INSERT, UPDATE, and DELETE.
- Improved Performance: Since the query is precompiled, execution is faster, especially for queries executed multiple times.
How to Use PreparedStatement in Java
Here’s how you can use a PreparedStatement step-by-step:
1. Establish a Database Connection
First, connect to the database using the DriverManager or a connection pool.
2. Create a SQL Query with Placeholders
Write the SQL query with ? as placeholders for parameters.
3. Prepare the Statement
Create the PreparedStatement object using the Connection.prepareStatement() method.
4. Set Parameter Values
Set the actual values for the placeholders using methods like setInt(), setString(), etc.
5. Execute the Query
Execute the query using the appropriate method (executeQuery() for SELECT and executeUpdate() for DML).
6. Close the Resources
Always close the PreparedStatement and the database connection to free up resources.
Example: Using PreparedStatement in Java
Here’s a simple example that demonstrates the use of a PreparedStatement to retrieve and insert data into a database:
Code Example: SELECT Query with PreparedStatement
import java.sql.*;
public class PreparedStatementExample {
public static void main(String[] args) {
// Database connection details
String url = "jdbc:mysql://localhost:3306/exampledb";
String username = "root";
String password = "password";
// SQL query with a parameter placeholder
String query = "SELECT * FROM users WHERE age > ?";
try (Connection connection = DriverManager.getConnection(url, username, password);
PreparedStatement preparedStatement = connection.prepareStatement(query)) {
// Set the parameter value
preparedStatement.setInt(1, 25);
// Execute the query
ResultSet resultSet = preparedStatement.executeQuery();
// Process the result set
while (resultSet.next()) {
System.out.println("ID: " + resultSet.getInt("id"));
System.out.println("Name: " + resultSet.getString("name"));
System.out.println("Age: " + resultSet.getInt("age"));
}
} catch (SQLException e) {
e.printStackTrace();
}
}
}
Code Example: INSERT Query with PreparedStatement
import java.sql.*;
public class InsertExample {
public static void main(String[] args) {
String url = "jdbc:mysql://localhost:3306/exampledb";
String username = "root";
String password = "password";
String insertQuery = "INSERT INTO users (name, age) VALUES (?, ?)";
try (Connection connection = DriverManager.getConnection(url, username, password);
PreparedStatement preparedStatement = connection.prepareStatement(insertQuery)) {
// Set parameter values
preparedStatement.setString(1, "Alice");
preparedStatement.setInt(2, 30);
// Execute the update
int rowsInserted = preparedStatement.executeUpdate();
System.out.println("Rows inserted: " + rowsInserted);
} catch (SQLException e) {
e.printStackTrace();
}
}
}
Methods of PreparedStatement
Here are some commonly used methods provided by the PreparedStatement interface:
| Method | Description |
|---|---|
setInt(int parameterIndex, int value) |
Sets an integer parameter. |
setString(int parameterIndex, String value) |
Sets a string parameter. |
setDouble(int parameterIndex, double value) |
Sets a double parameter. |
setDate(int parameterIndex, Date value) |
Sets a date parameter. |
executeQuery() |
Executes a SELECT query and returns a ResultSet. |
executeUpdate() |
Executes an INSERT, UPDATE, or DELETE query. |
close() |
Closes the PreparedStatement. |
Advantages of PreparedStatement
- Prevention of SQL Injection: Automatically escapes special characters in input, ensuring query safety.
- Reusability: Precompiled queries can be reused with different parameter values, reducing overhead.
- Ease of Use: Parameterized queries simplify dynamic SQL construction.
- Improved Performance: Parsing and compilation occur once, improving performance for repeated executions.
Disadvantages of PreparedStatement
- Initial Overhead: Initial preparation of the statement might take more time than a direct query.
- Database-Specific: The level of performance optimization may vary across different database systems.
When to Use PreparedStatement?
- When you need to execute the same query multiple times with different parameters.
- When dealing with user inputs to ensure security against SQL injection.
- When working with dynamic queries that involve variable data.
The PreparedStatement in Java is a vital tool for secure and efficient database operations. It ensures protection against SQL injection, simplifies the handling of dynamic SQL, and improves performance for repeated queries. By understanding how to use PreparedStatements effectively, developers can build robust and secure Java applications that interact seamlessly with databases.