My main point is that performance generally isn't that much an issue in
server side web development.
The difference between Statement and PreparedStatement is in the order of
nanoseconds. I'm sure it's less than 1 ms on normal hardware.
That means it would take > 1000 requests to increase the processor time with
1 second. I'd say that this is cheap ;-) I'm not saying performance doesn't
matter at all.
e.g. the difference between using Connection pooling or not is in the order
of 100 - 300 ms. In that case, it does matter.
To answer your question:
- Security: I already said that it was my favorite trick to break into asp
sites (these generally don't use PreparedStatements. I don't know if such a
thing exists in asp)
image your login check as:
String userName = request.getParameter("userName");
String passWord = ....
ResultSet rs = stmt.executeQuery("select userName, status from login where
userName = '"+userName+"' and password = '"+password+"'");
Now, I can login by using userName/password
test / test' or '1'='1
Believe me. It works. I've seen them doing it, man ;-)
- Stability and correctness:
Think about a last name lookup HTML form and I type in
O'Connor
Geert Van Damme
I also think PreparedStatements are cleaner code. Think about the parallel
with a method name and the arguments. You're not creating several methods
that do the same thing (apart from the arguments).
Geert Van Damme
> -----Original Message-----
> From: A mailing list about Java Server Pages specification and reference
> [mailto:[EMAIL PROTECTED]]On Behalf Of Ashwani Kalra
> Sent: vrijdag 3 mei 2002 12:34
> To: [EMAIL PROTECTED]
> Subject: Re: PreparedStatement vs Statement
>
>
> Can you explain these four points in terms of
> statements/preparedstatements
> specially security ,stability , correctness ?
>
> Ashwani
>
>
> ----- Original Message -----
> From: "Geert Van Damme" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, May 03, 2002 3:42 PM
> Subject: Re: PreparedStatement vs Statement
>
>
> > > Performance will ofcourse play the major role in selecting
> > > between the two.
> > >
> >
> >
> > I seriously doubt that.
> >
> > - Correctness
> > - Stability
> > - Security
> > - Maintainability
> >
> > Are IMO all much more crucial than raw speed.
> >
> > Geert Van Damme
> >
> >
> ==================================================================
> =========
> > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> JSP-INTEREST".
> > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST
> DIGEST".
> > Some relevant FAQs on JSP/Servlets can be found at:
> >
> > http://archives.java.sun.com/jsp-interest.html
> > http://java.sun.com/products/jsp/faq.html
> > http://www.esperanto.org.nz/jsp/jspfaq.jsp
> > http://www.jguru.com/faq/index.jsp
> > http://www.jspinsider.com
> >
>
> ==================================================================
> =========
> To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff
> JSP-INTEREST".
> For digest: mailto [EMAIL PROTECTED] with body: "set
> JSP-INTEREST DIGEST".
> Some relevant FAQs on JSP/Servlets can be found at:
>
> http://archives.java.sun.com/jsp-interest.html
> http://java.sun.com/products/jsp/faq.html
> http://www.esperanto.org.nz/jsp/jspfaq.jsp
> http://www.jguru.com/faq/index.jsp
> http://www.jspinsider.com
>
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST".
Some relevant FAQs on JSP/Servlets can be found at:
http://archives.java.sun.com/jsp-interest.html
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.jsp
http://www.jguru.com/faq/index.jsp
http://www.jspinsider.com
