Using Prepared Statements
The PreparedStatement object represents a precompiled SQL statement. A PreparedStatement can be used multiple times and mitigates SQL injection attacks. A PreparedStatement can be a SELECT, INSERT, UPDATE, or DELETE statement.
To execute a prepared statement, you can use the generic execute method of the Statement class. This section describes how to execute a prepared statement.
-
Instantiate a PreparedStatement object with the prepareStatement method of the Connection class.
See Connecting from Code to create the connection.
- Declare parameters by calling the PreparedStatement's corresponding setter method. Note that the parameter indices start from one.
- Call the PreparedStatement's execute method to execute the statement.
- Call the PreparedStatement's getResultSet method to pull the results into a ResultSet object.
- Call ResultSet.next to iterate over the result set. Use the ResultSetMetaData class to obtain column information about the result set. To instantiate a ResultSetMetaData object, call the ResultSet's getMetaData method.
Select
The following example shows how to execute a SELECT prepared statement:
String query = "SELECT * FROM Customers WHERE City=? AND CompanyName=?"; PreparedStatement pstmt = conn.prepareStatement(query); pstmt.setString(1, "XXX"); pstmt.setString(2, "YYY"); boolean ret = pstmt.execute(); if (ret) { ResultSet rs=pstmt.getResultSet(); while(rs.next()) { for(int i=1;i<=rs.getMetaData().getColumnCount();i++) { System.out.println(rs.getMetaData().getColumnLabel(i) +"="+rs.getString(i)); } } }
Insert
To execute an insert, you can use the generic execute method or the executeUpdate method, as shown in the following example.
String query = "INSERT INTO Customers (City, CompanyName) VALUES (?,?)"; PreparedStatement pstmt = conn.prepareStatement(query); pstmt.setString(1, "XXX"); pstmt.setString(2, "YYY"); int count = pstmt.executeUpdate();