Absolutely. It's my favorite tricks to break into asp sites ;-)
Besides this security argument: - PreparedStatements save you the trouble of escaping single quotes in names like O'Connor. - They save you from the trouble of date formats - They allow better updating of longer fields. After all, the performance argument is certainly valid. The JDBC driver or DBMS can cache the parsed PreparedStatements, and a web container typically runs for weeks without stopping or restarting, so 50-100 queries is no issue at all. Geert Van Damme > -----Original Message----- > From: A mailing list about Java Server Pages specification and reference > [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Schnitzer > Sent: vrijdag 3 mei 2002 8:02 > To: [EMAIL PROTECTED] > Subject: Re: PreparedStatement vs Statement > > > The primary reason to use PreparedStatement has nothing to do with > performance. > > When you are building your query for a Statement: > > String sql = "SELECT * FROM theTable WHERE name = '" + name + "'"; > > What malicious code do you think could be inserted by users free to pick > their own names? Answer: lots. > > With PreparedStatement, you never need to worry about escaping. > > Jeff Schnitzer > [EMAIL PROTECTED] > > > -----Original Message----- > > From: Ashwani Kalra [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, May 02, 2002 8:58 PM > > To: [EMAIL PROTECTED] > > Subject: Re: PreparedStatement vs Statement > > > > Hi, > > I think other wise. Prepared statements are best to be avoided unless > you > > are trying to execute some queries which cannot be done from statement > > object.like batch processing. From the article below I can conclude > that > > gain in performance of the PStatement becomes visible only after > 50-100 > > successive inserts. > > > > Doing a simple search on google gives so much info. Instead of > guessing > > which is better please have a look at this link. > > > > http://www.onjava.com/pub/a/onjava/excerpt/oraclejdbc_19/ > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Cheers > > Ashwani Kalra > > http://www.geocities.com/ashwani_kalra/ > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > > > > > > > > > > > ----- Original Message ----- > > From: "suresh kumar Durairaj" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, May 03, 2002 6:51 AM > > Subject: Re: PreparedStatement vs Statement > > > > > > > Dear all, > > > > > > From the DB Perspective, > > > use of Prepared statement reduces the memory usage as prepared > statement > > > uses bind variables . The query is parsed once for several > execution. It > > is > > > always recommended to use prepared statement where ever possible . > > > > > > Suresh > > > > > > > > > >From: "Lai, Kenny" <[EMAIL PROTECTED]> > > > >Reply-To: A mailing list about Java Server Pages specification and > > > >reference <[EMAIL PROTECTED]> > > > >To: [EMAIL PROTECTED] > > > >Subject: PreparedStatement vs Statement > > > >Date: Thu, 2 May 2002 14:41:20 -0400 > > > > > > > >is there a considerable difference, if I create PreparedStatement > > instead > > > >of > > > >Statement after i get my DB connection? > > > >are there pitfalls i should be aware about (using > PreparedStatement)? > > > > > > > >kenny > > > > > > > > > > >======================================================================= > == > > == > > > >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > > > >JSP-INTEREST". > > > >For digest: mailto [EMAIL PROTECTED] with body: "set > JSP-INTEREST > > > >DIGEST". > > > >Some relevant FAQs on JSP/Servlets can be found at: > > > > > > > > http://archives.java.sun.com/jsp-interest.html > > > > http://java.sun.com/products/jsp/faq.html > > > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > > > http://www.jguru.com/faq/index.jsp > > > > http://www.jspinsider.com > > > > > > > > > _________________________________________________________________ > > > Join the world's largest e-mail service with MSN Hotmail. > > > http://www.hotmail.com > > > > > > > > > ======================================================================== > == > > = > > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > > JSP-INTEREST". > > > For digest: mailto [EMAIL PROTECTED] with body: "set > JSP-INTEREST > > DIGEST". > > > Some relevant FAQs on JSP/Servlets can be found at: > > > > > > http://archives.java.sun.com/jsp-interest.html > > > http://java.sun.com/products/jsp/faq.html > > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > > http://www.jguru.com/faq/index.jsp > > > http://www.jspinsider.com > > > > > ======================================================================== > == > > = > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP- > > INTEREST". > > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST > > DIGEST". > > Some relevant FAQs on JSP/Servlets can be found at: > > > > http://archives.java.sun.com/jsp-interest.html > > http://java.sun.com/products/jsp/faq.html > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > http://www.jguru.com/faq/index.jsp > > http://www.jspinsider.com > > ========================= > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > JSP-INTEREST". > For digest: mailto [EMAIL PROTECTED] with body: "set > JSP-INTEREST DIGEST". > Some relevant FAQs on JSP/Servlets can be found at: > > http://archives.java.sun.com/jsp-interest.html > http://java.sun.com/products/jsp/faq.html > http://www.esperanto.org.nz/jsp/jspfaq.jsp > http://www.jguru.com/faq/index.jsp > http://www.jspinsider.com > =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
