Hello Ramaswamy! RRCGL> Thanx Mark, but what I actually wanted to know was....(Sorry I did not RRCGL> convey properly)
RRCGL> String query1="update table1 set field1 = ?, field2= ? where field3 RRCGL> ='"+someBeanInstance.getName()+"' and field4 = RRCGL> '"+someBeanInstance.getDesc()+"'"; RRCGL> String query2="update table1 set field1 = ?, field2 = ? where field3 = ? and RRCGL> field4=?; RRCGL> I wanted to know, if setting values in where clause directly rather than RRCGL> setting it in the PreparedStatement object has any adv/disadv? Is it better RRCGL> to always set the values in the PreparedStatement Object? RRCGL> Hope I have put across my doubt now. RRCGL> Thanx, RRCGL> Priya RRCGL> -----Original Message----- RRCGL> From: Mark Galbreath [mailto:[EMAIL PROTECTED]] RRCGL> Sent: Thursday, January 24, 2002 6:30 PM RRCGL> To: [EMAIL PROTECTED] RRCGL> Subject: Re: JDBC question - PreparedStatement RRCGL> Not worth worrying about. After the first call on the prepared statement, RRCGL> all variables will be set for any subsequent calls. The nanosecond taken to RRCGL> set an additional couple of variables' values on the first call is RRCGL> negligible. RRCGL> Mark RRCGL> -----Original Message----- RRCGL> From: Ramaswamy, Rathnapriya RRCGL> Sent: Thursday, January 24, 2002 7:32 AM RRCGL> Is there any difference b/w usage of these two queries while using RRCGL> PreparedStatement. RRCGL> 1) String query = "update table1 set field1 = ?, field2= ? where field3 = RRCGL> 'value3' and field4 = 'value4'; RRCGL> 2) String query = "update table1 set field1 = ?, field2 = ? where field3 = ? RRCGL> and field4 = ?; When you set the values via .setString and so on you get your strings escaped automatically, that is any " is replaced with \" and so on. It is quite handy as if the values you pass in are data entered by user in a web form it might contain something like xxx; drop table yyy This will do you no harm if you use .setString() as it gets propelly escaped and is treated just as a single value, but you have to escape everything yourself and take the reponsiblility of not allowing anybody anthyng like this if you do String query1="update table1 set ... '"+someUserEnteredText+"'"; -- Best regards, Anton Tagunov mailto:[EMAIL PROTECTED] ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
