Wiki Navigation

SQL Prepared Statements

In addition to normal queries, relational databases provide a way to bind parameters to certain columns. Here is an example using the Java JDBC API:

PreparedStatement ps = connection.prepareStatement(
    "SELECT email FROM member WHERE name = ?");
ps.setString(1, formField);
ResultSet rs = ps.executeQuery();

Why bother

Efficiency: the RDBMS can reuse query plans that have been prepared

Security: bound parameters are not vulnerable to SQL injection

Download in other formats:

Plain Text