> Why did Serge use PreparedStatements in eg
> JDBCMailRepository.store(MailImpl mc)?
You almost always want to use PreparedStatement with arbitrary data. The
positional parameters are not parsed as part of the SQL statement, and
therefore cannot be misinterpreted as part of the SQL statement.
Servers accepting externally provided data and building query strings are
typically ripe for exploit.
See also: mysql.PreparedStatement.execute()
[mysql.PreparedStatement.fillSendPacket() in Connector/J v3]
With respect to your performance observations, in a connection pooled
environment, a statement pool is necessary for performance, since it is
likely that a PreparedStatement will used many times, but not during the
scope of a single use of a pooled connection. In Connector/J v2, the
statement cache code was incomplete and disabled. In Connector/J v3.0 and
v3.1, the statement cache was completely removed. You can ask Mark about
why Connector/J does not implement a statement pool. He may be assuming
that pooling will be provided external to the driver.
See also:
JDBC v3 Specification, Section 11.6
http://www.mysql.com/doc/en/C_API_Prepared_statements.html
http://archives.apache.org/eyebrowse/[EMAIL PROTECTED]
pache.org&msgId=434537
http://jakarta.apache.org/commons/dbcp/apidocs/org/apache/commons/dbcp/Pooli
ngConnection.html
http://www.oop-reserch.com/poolps_3_0.html
FWIW, there are no plans to add a statement pool to mordred, but DBCP has
one.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
