Hi, I saw this article http://www.javaperformancetuning.com/tips/rawtips.shtml which tells you a.. Use prepared statements (PreparedStatement class) [article provides coded example of using Statement vs. PreparedStatement].
This is very vague statement.This doesnt mean that you should use it every time.See the link below as given in the above site . They tell you the reason when you should use it. Which I also agree. ie if you want to execute same statement many times differing only with parameters to the query. This is because the statements is compiled and cached at db end while with statement this occurs at the execution time. (I am not db expert. Correct me if I am wrong) http://www.as400.ibm.com/developer/java/topics/jdbctips.html So can we say this should be the default usage? And I am again-2 saying that I am not against it. I my self using prepared statement(because of large no of parameters used by queries but not because I am executing again and again). Because this is lot more cleaner then using statement object. > Now this is nice ?????? > So you're avoiding PreparedStatements because they're slow, but you do issue > a select * ?????? > You might start with replacing the * with the correct columns. It might give > you a better performance boost that the Statement. This was just an example. I meant to say in queries which does not have many input parameters. example select abc from table1 where name =<<var value>> I am referring to <<var value>> Hope this clear my views. You can try any site . Main compariso will be on performance. And obviously for some queries I have to use prepared statements which cannot be executed by Statement. Ofcourse I agree again that code is more cleaner . Regds Ashwani ----- Original Message ----- From: "Geert Van Damme" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 03, 2002 5:12 PM Subject: Re: PreparedStatement vs Statement > > > My main point is that performance generally isn't that much an issue in > > > server side web development. > > > > I cant believe this !!! . In out project we are trying hard to increase > > throughput and response time/performance. These small-2 points add and > > later create problems. > > > > > e.g. the difference between using Connection pooling or not is in the > > order > > > of 100 - 300 ms. In that case, it does matter. > > > > Ok I agree > > > > > > > Security: I already said that it was my favorite trick to break into asp > > > sites (these generally don't use PreparedStatements. I don't > > know if such > > a > > > thing exists in asp) > > > image your login check as: > > > String userName = request.getParameter("userName"); > > > String passWord = .... > > > ResultSet rs = stmt.executeQuery("select userName, status from > > login where > > > userName = '"+userName+"' and password = '"+password+"'"); > > > > > > Now, I can login by using userName/password > > > test / test' or '1'='1 > > > > > > Believe me. It works. I've seen them doing it, man ;-) > > > > I am not including such poorly developed site. > > > > > I didn't say that. But many developers do. So, I'm correct in saying that > the PreparedStatement should be the default ;-) > > The article about the speed difference is about a specific DBMS and a > specific Driver. I doubt that you would see the same results in another > setup. So, unless you did proper profiling, you should never give up on > clean code, security, .. in favor of 'supposed' performance. > If you did proper tuning, go ahead and use a Statement for performance's > sake, but the default is still Prepared. > BTW, I could easily create an ODBC driver that wraps around another one and > simply implement the PreparedStatement myself by using Strig concatenation. > This allows me to switch where I want without changing my code. > > > > > > - Stability and correctness: > > > Think about a last name lookup HTML form and I type in > > > O'Connor > > > > ?? > > Think again ;-) > > > > > > > I also think PreparedStatements are cleaner code. Think about > > the parallel > > > with a method name and the arguments. You're not creating > > several methods > > > that do the same thing (apart from the arguments). > > > > I also agree . Specially if a query takes 10-15 parameters , I > > would prefer > > Prepared statement. However for executing very smal queries like > > "Select *" > > etc , I dont think it will give me any benefit. > > I am again saying that use of prepared statements should be done thought > > fully instead of considering it as "default" for executing the queries. > > > Now this is nice ?????? > So you're avoiding PreparedStatements because they're slow, but you do issue > a select * ?????? > You might start with replacing the * with the correct columns. It might give > you a better performance boost that the Statement. > > at http://www.javaperformancetuning.com/tips/rawtips.shtml > about 5 articles are listed that state you should use 'PreparedStatement' > for performance. > Only 1 that - in a very particular case (DBMS and Driver) - shows the > opposite. > > Geert Van Damme > > =========================================================================== > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". > Some relevant FAQs on JSP/Servlets can be found at: > > http://archives.java.sun.com/jsp-interest.html > http://java.sun.com/products/jsp/faq.html > http://www.esperanto.org.nz/jsp/jspfaq.jsp > http://www.jguru.com/faq/index.jsp > http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
