Which is faster? Statement or prepared expression

Often on the network you can find the following code:

private static final String SQL = "SELECT * FROM table_name"; .... 

and for this SQL query, PreparedStatement is used. Why?
As I know, PreparedStatement takes time to precompile the SQL statement. It turns out that the statement is faster than PreparedStatement. Or I'm wrong?

+6
source share
4 answers

Prepared statements are much faster if you must run the same statement several times with different data. This is because SQL will check the query only once, whereas if you just use the statement, it will check the query each time.

Another advantage of using PreparedStatements is to avoid SQL injection vulnerability, although in your case your query is so simple that you did not notice it.

At your request, the difference between running a prepared statement and an statement is probably not significant.

EDIT: In response to your comment below, you will need to carefully examine the DAO class to see what it does. If, for example, every time a method is called, it re-creates a prepared statement, then you lose the advantage of using prepared statements.

What you want to achieve is encapsulating your persistence level so that they are not a specific call to MySQL or Postgres or what you are using, and at the same time take advantage of the performance and security of things like prepared statements. To do this, you need to rely on your own Java objects, such as PreparedStatement ,.

I personally would build my own DAO class to perform CRUD operations using Hibernate under and the Java Persistence API to encapsulate all of this and should use prepared instructions for security benefits. If you have a specific use case for repeated operations, I would tend to wrap it in my own object.

Hibernate can be configured to use any database provider that you use via an XML file, and thus it provides very neat encapsulation of your persistence level. However, it is a rather complicated product to get it right!

+11
source

In most cases, queries are not as simple as your example. If there are any deviations in the query, that is, any parameters that are unknown at compile time, you should use PreparedStatement to avoid SQL injection vulnerabilities. This is superior to any performance issues. If there is any difference between PreparedStatement and Statement, it will be highly dependent on the specific JDBC driver, and in most cases the penalty will be small compared to the cost of moving to the database, executing the actual query and returning the results.

+4
source

Faster not here. Parsing sql will usually be a tiny part of overall execution. See More in When Should We Use PreparedStatement Instead of Statement?

0
source

According to my knowledge, PreparedStatement is much faster than the instruction. This is why the prepared state is faster than the expression, read for more details. The JDBC API provides database connection functionality. Then we try to execute the query using the statement and prepared state.
To complete the request, four steps are performed.

SQL query analysis.
Compile this query.
streamlining data collection.
fulfill the request.

The Statement interface is suitable when we do not need to execute the request several times.

Disadvantages of the Statement interface. a hacker can easily crack data. For example, we have one request that has a username and password, parameters that you can specify for the correct parameters: username = ' abc@example.com ' and password = 'abc123', this is actually the current one. But the hacker can do username = 'abc @ example.com' or '1' = 1 and password = '', which means that you can successfully log in. so it’s possible in a statement.
And sql check every time we retrieve data from the database.

So, Java has a solution to this problem, which is PreparedStatement. This interface has many advantages. main advantages of prepared state - sql does not check the query every time. therefore, you can quickly get the result. Please review the benefits of the material below.

1) We can safely provide the value of query parameters using the setter method. 2) it prevents SQL injection because it automatically escapes special characters. 3) When we use the operator above, four steps are performed each time. But when we use PreparedStatement, only the last steps are performed, so this is faster than the instruction.

0
source

Source: https://habr.com/ru/post/909890/


All Articles