A PreparedStatement is a pre-compiled SQL statement. It is a subinterface of Statement. Prepared Statement objects have some useful additional features than Statement objects. Instead of hard coding queries, PreparedStatement object provides a feature to execute a parameterized query.
When PreparedStatement is created, the SQL query is passed as a parameter. This Prepared Statement contains a pre-compiled SQL query, so when the PreparedStatement is executed, DBMS can just run the query instead of first compiling it. We can use the same PreparedStatement and supply with different parameters at the time of execution. An important advantage of PreparedStatements is that they prevent SQL injection attacks.
Methods of PreparedStatement:
Method | Description
--- | ---
public void setInt(int paramIndex, int value) | sets the integer value to the given parameter index.
public void setString(int paramIndex, String value) | sets the String value to the given parameter index.
public void setFloat(int paramIndex, float value) | sets the float value to the given parameter index.
public void setDouble(int paramIndex, double value) | sets the double value to the given parameter index.
public int executeUpdate() | executes the sql. It is used for create, drop, insert, update, delete etc.
public ResultSet executeQuery() | executes the select query. It returns an instance of ResultSet.
```
import java.sql.*;
public class Main {
public static void main(String[] args) throws Exception {
Class.forName("oracle.jdbc.driver.OracleDriver"); ;
Connection con=DriverManager.
getConnection("jdbc:oracle:thin:@localhost:1521:xe","system","oracle");
String query = "Select * from students where age> ? and name = ?";
PreparedStatement myStmt = con.prepareStatement(query);
myStmt.setInt(1, 20);
myStmt.setString(2, "Prateek");
ResultSet myRs = myStmt.executeQuery();
while (myRs.next()) {
String Name = myRs.getString("name");
int age = myRs.getInt("age");
System.out.println(Name + "," + age);
}
con.close();
}
}
```