Can I also ask what statements can be included here? I imagine you can do "xxx' AND ...'
But, I can't think what malicious code you could use? Regards, Peter Dolukhanov -----Original Message----- From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]] On Behalf Of Jeff Schnitzer Sent: 03 May 2002 07:02 To: [EMAIL PROTECTED] Subject: Re: PreparedStatement vs Statement The primary reason to use PreparedStatement has nothing to do with performance. When you are building your query for a Statement: String sql = "SELECT * FROM theTable WHERE name = '" + name + "'"; What malicious code do you think could be inserted by users free to pick their own names? Answer: lots. With PreparedStatement, you never need to worry about escaping. Jeff Schnitzer [EMAIL PROTECTED] > -----Original Message----- > From: Ashwani Kalra [mailto:[EMAIL PROTECTED]] > Sent: Thursday, May 02, 2002 8:58 PM > To: [EMAIL PROTECTED] > Subject: Re: PreparedStatement vs Statement > > Hi, > I think other wise. Prepared statements are best to be avoided unless you > are trying to execute some queries which cannot be done from statement > object.like batch processing. From the article below I can conclude that > gain in performance of the PStatement becomes visible only after 50-100 > successive inserts. > > Doing a simple search on google gives so much info. Instead of guessing > which is better please have a look at this link. > > http://www.onjava.com/pub/a/onjava/excerpt/oraclejdbc_19/ > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Cheers > Ashwani Kalra > http://www.geocities.com/ashwani_kalra/ > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > > > > ----- Original Message ----- > From: "suresh kumar Durairaj" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, May 03, 2002 6:51 AM > Subject: Re: PreparedStatement vs Statement > > > > Dear all, > > > > From the DB Perspective, > > use of Prepared statement reduces the memory usage as prepared statement > > uses bind variables . The query is parsed once for several execution. It > is > > always recommended to use prepared statement where ever possible . > > > > Suresh > > > > > > >From: "Lai, Kenny" <[EMAIL PROTECTED]> > > >Reply-To: A mailing list about Java Server Pages specification and > > >reference <[EMAIL PROTECTED]> > > >To: [EMAIL PROTECTED] > > >Subject: PreparedStatement vs Statement > > >Date: Thu, 2 May 2002 14:41:20 -0400 > > > > > >is there a considerable difference, if I create PreparedStatement > instead > > >of > > >Statement after i get my DB connection? > > >are there pitfalls i should be aware about (using PreparedStatement)? > > > > > >kenny > > > > > > >======================================================================= == > == > > >To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > > >JSP-INTEREST". > > >For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST > > >DIGEST". > > >Some relevant FAQs on JSP/Servlets can be found at: > > > > > > http://archives.java.sun.com/jsp-interest.html > > > http://java.sun.com/products/jsp/faq.html > > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > > http://www.jguru.com/faq/index.jsp > > > http://www.jspinsider.com > > > > > > _________________________________________________________________ > > Join the world's largest e-mail service with MSN Hotmail. > > http://www.hotmail.com > > > > > ======================================================================== == > = > > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff > JSP-INTEREST". > > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST > DIGEST". > > Some relevant FAQs on JSP/Servlets can be found at: > > > > http://archives.java.sun.com/jsp-interest.html > > http://java.sun.com/products/jsp/faq.html > > http://www.esperanto.org.nz/jsp/jspfaq.jsp > > http://www.jguru.com/faq/index.jsp > > http://www.jspinsider.com > > ======================================================================== == > = > To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP- > INTEREST". > For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST > DIGEST". > Some relevant FAQs on JSP/Servlets can be found at: > > http://archives.java.sun.com/jsp-interest.html > http://java.sun.com/products/jsp/faq.html > http://www.esperanto.org.nz/jsp/jspfaq.jsp > http://www.jguru.com/faq/index.jsp > http://www.jspinsider.com To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com