|
Prefer PreparedStatement
PreparedStatement is usually preferred over Statement for these reasons :
- it is in general more secure. When a Statement is constructed dynamically from user input, it is vulnerable to SQL injection attacks. PreparedStatement is not vulnerable in this way.
- there is usually no need to worry about escaping special characters
- if repeated compilation is avoided, its performance is usually better
In general, it seems safest to use a Statement only when the SQL is of fixed, known form, with no parameters.
See Also :
Would you use this technique?
Add your comment to this Topic :