我知道使用PreparedStatement的好处,就是
I know the advantages of using PreparedStatement, which are
- 查询由数据库服务器重写和编译
- 防止 SQL 注入
但是我想知道我们什么时候用它代替Statement?
But I want to know when we use it instead of Statement?
推荐答案查询由数据库服务器重写和编译
Query is rewritten and compiled by the database server
如果你不使用准备好的语句,数据库服务器将必须解析,并计算一个语句的执行计划每次运行它.如果你发现你将运行相同的语句多次(不同参数)那么值得准备声明一次并重用它准备好的声明.如果你是查询数据库即席然后可能没有什么好处这个.
If you don't use a prepared statement, the database server will have to parse, and compute an execution plan for the statement each time you run it. If you find that you'll run the same statement multiple times (with different parameters) then its worth preparing the statement once and reusing that prepared statement. If you are querying the database adhoc then there is probably little benefit to this.
防止 SQL 注入
Protected against SQL injection
这几乎是你的优势总是想要一个很好的理由每次都使用 PreparedStatement.这是不得不这样做的结果参数化查询,但它确实让它运行起来更安全.这只有一次我能想到这个如果你是,那就没用了允许临时数据库查询;你可能只是使用声明对象,如果你正在制作原型应用程序,它对你来说更快,或者如果查询不包含参数.
This is an advantage you almost always want hence a good reason to use a PreparedStatement everytime. Its a consequence of having to parameterize the query but it does make running it a lot safer. The only time I can think of that this would not be useful is if you were allowing adhoc database queries; You might simply use the Statement object if you were prototyping the application and its quicker for you, or if the query contains no parameters.
更多推荐
我们什么时候应该使用 PreparedStatement 而不是 Statement ?
发布评论