Not All Jdbc Advice Is Good JDBC Advice...

While wandering around the web I stumbled across a link to a sample chapter for 'Java Programming with Oracle JDBC', published in December 2001 by O'Reilly. Now 2001 is a bit dated but one would assume that if they are plugging it on their web site it must still be relevent. And that any glaring

errors would have been corrected, right? Think again...

The author spends the chapter conducting elaborate benchmarks which in his view demonstrate that there's nothing special about PreparedStatement
and that you should really be using Statement most of the time. His reasoning is based on the premise that the additional set up costs of Prepareing a statement and sending all the bind variables etc cause applications to run more slowly than if you had simply said something like:


code>




Statement stmt = conn.createStatement();


stmt.executeUpdate(


"insert into oehr.testxxxperf ( id, code, descr,insert_user, insert_date ) "


"values ( " + Integer.toString( i ) + ", '125678901234567890', "


"'1234567890', " +










"USER, to_date('" + sdf.format(new java.util.Date(System.currentTimeMillis()))
+ "', 'YYYYMMDDHH24MISS'))");

instead of:

PreparedStatement stmt = conn.prepareStatement(


"insert into oehr.testxxxperf ( id, code, descr,insert_user,

insert_date ) " +


"values ( ?, ?, ?, ?, ? )");


startTime = System.currentTimeMillis();


int i=1;


stmt.setInt(1,i);


stmt.setString(2,"123456789012345678901234567890");


stmt.setString(3,"123456789019012345678901234567890");


stmt.setString(4,"ZXVI01");


stmt.setDate(5,newjava.sql.Date(System.currentTimeMillis()));


stmt.executeUpdate();




The point made is that unless you plan on issuing hundreds of statements the first method is faster because it has fewer network round trips and therefore less elapsed time. All of which is true - provided there is only 1 copy of the client software being used. In practice what will happen is that using Statement in preference to PreparedStatement will cause the database server to devote significant resources to compiling execution plans for each and every version of the insert statement being called. Indeed, not using PreparedStatement and bind variables is listed as the second most common mistake in Oracle's '
Top Ten Mistakes Found in Oracle Systems'.There's also a less obvious but equally serious problem with cobbling together your SQL statements instead of using bind variables and PreparedStatement - sooner or later someone with an apostrophe in their name will show up and cause a syntax error:

Int empno = 42;


String empname = "O'Reilly";


String myStatement = "INSERT INTO EMP (empno, ename) VALUES ("


+ empno + ",'" + empname + "');";


But wait... it gets worse! If you're working on a public facing web system and some bright spark realizes you are hacking together SQL statements you could have something like this happen:


Int empno = 42;


String ename = "'Smith', sal = 99999";


String myStatement = "UPDATE EMP set ename = "


+ ename+ " WHERE empno = " + empno');";





which means that your Statement would be:

UPDATE EMP set ename = 'Smith', sal = 99999 WHERE empno = 42;


[This post originally appeared on JRoller]