What are prepared statements in Java
๐ก Concept: PreparedStatement
A PreparedStatement in JDBC is a precompiled SQL statement that can be executed multiple times with different parameters, enhancing both performance and security.
๐ Quick Intro
Prepared statements are used to safely execute parameterized SQL queries in Java. They help avoid SQL injection and reduce the overhead of repeatedly parsing SQL syntax.
๐ง Analogy
Think of a prepared statement like a reusable baking mold. You create the mold once (prepare the SQL), and reuse it with different ingredients (parameters) to bake cakes (queries) efficiently and consistently.
๐ง Technical Explanation
PreparedStatementis a subinterface ofStatement.- It allows SQL statements with placeholders (?) for parameters.
- The SQL is precompiled, which improves execution speed on repeated use.
- It automatically escapes parameter values, preventing SQL injection.
- Parameters are set using methods like
setString(),setInt(), etc.
๐ฏ Use Cases
- โ Repeated execution of the same query with different values
- โ Preventing SQL injection in user-driven forms
- โ Bulk insertions and batch operations
๐ป Example: Using PreparedStatement
import java.sql.*;
public class PreparedStatementExample {
public static void main(String[] args) {
String url = "jdbc:mysql://localhost:3306/testdb";
String user = "root";
String password = "root123";
try (Connection conn = DriverManager.getConnection(url, user, password)) {
String sql = "SELECT * FROM users WHERE username = ?";
PreparedStatement pstmt = conn.prepareStatement(sql);
pstmt.setString(1, "johndoe");
ResultSet rs = pstmt.executeQuery();
while (rs.next()) {
System.out.println(rs.getString("email"));
}
} catch (SQLException e) {
e.printStackTrace();
}
}
}
โ Interview Q&A
Q1: What is a prepared statement in JDBC?
A: A precompiled SQL statement with parameters.
Q2: How does it prevent SQL injection?
A: By separating SQL logic from data inputs.
Q3: Is PreparedStatement reusable?
A: Yes, with different parameter values.
Q4: Which interface does it implement?
A: Statement.
Q5: Can we use it for INSERT and DELETE?
A: Yes.
Q6: What method sets parameters?
A: Methods like setString(), setInt(), etc.
Q7: Can you use multiple ? placeholders?
A: Yes, and set each in order.
Q8: Can PreparedStatement be batched?
A: Yes, using addBatch().
Q9: Is performance better than Statement?
A: Yes, for repeated queries.
Q10: Is SQL precompiled in PreparedStatement?
A: Yes.
๐ MCQs
Q1. Which interface is PreparedStatement a subtype of?
- Driver
- Statement
- Connection
- Query
Q2. Which method sets a string parameter?
- assign()
- setText()
- setString()
- setValue()
Q3. What symbol is used as placeholder in SQL?
- #
- $
- ?
- %
Q4. Why is PreparedStatement safer than Statement?
- Uses more RAM
- Larger buffer
- Prevents SQL injection
- Faster logs
Q5. Is PreparedStatement SQL precompiled?
- No
- Yes
- Sometimes
- Only in MySQL
Q6. Which method executes SELECT?
- run()
- execute()
- executeQuery()
- fetch()
Q7. What method executes INSERT/UPDATE?
- executeQuery()
- executeUpdate()
- runQuery()
- submit()
Q8. Can PreparedStatement improve performance?
- No
- Yes
- Rarely
- Only in JDBC 4.0+
Q9. Is parameter indexing zero-based?
- Yes
- No, starts at 1
- Depends
- Index-free
Q10. Can PreparedStatement be reused with new values?
- No
- Yes
- Sometimes
- Only for SELECT
๐ก Bonus Insight
PreparedStatements can be combined with batch processing for large-scale operations, reducing round-trips to the database and increasing throughput.
๐ PDF Download
Need a handy summary for your notes? Download this topic as a PDF!