Stack Overflow
Stack Overflow

Questions tagged [prepared-statement]

A Prepared Statement (or parameterized statement) is a precompiled SQL statement that serves to improve performance and mitigate SQL injection attacks. Prepared statements are used in many popular Relational Database Management Systems.

Prepared statements separate data binding from execution. Separating statement preparation from execution can be more efficient for statements that are executed multiple times, because the preparation phase need be done only once. For example, if you need to insert a bunch of rows, you can prepare an INSERT statement once and then execute it repeatedly, binding successive row values to it for each execution. A prepared statement can contain placeholders to indicate where data values should appear. After you prepare the statement, bind specific values to the placeholders (either before or at statement-execution time), then substitute the values into the statement before sending it to the database server.

Also see: ,

6193 questions
93
votes
12 answers

Can parameterized statement stop all SQL injection?

If yes, why are there still so many successful SQL injections? Just because some developers do not use parameterized statements?
iceagle
  • 1,507
  • 2
  • 13
  • 13
92
votes
7 answers

Java: Insert multiple rows into MySQL with PreparedStatement

I want to insert multiple rows into a MySQL table at once using Java. The number of rows is dynamic. In the past I was doing... for (String element : array) { myStatement.setString(1, element[0]); myStatement.setString(2, element[1]); …
Tom Marthenal
  • 3,066
  • 3
  • 32
  • 47
90
votes
4 answers

Example of how to use bind_result vs get_result

I would like to see an example of how to call using bind_result vs. get_result and what would be the purpose of using one over the other. Also the pro and cons of using each. What is the limitation of using either and is there a difference.
Arian Faurtosh
  • 17,987
  • 21
  • 77
  • 115
85
votes
3 answers

MySQLi prepared statements error reporting

I'm trying to get my head around MySQli and I'm confused by the error reporting. I am using the return value of the MySQLi 'prepare' statement to detect errors when executing SQL, like this: $stmt_test = …
Columbo
  • 2,896
  • 7
  • 44
  • 54
75
votes
6 answers

What does a question mark represent in SQL queries?

While going through some SQL books I found that examples tend to use question marks (?) in their queries. What does it represent?
pradeep
71
votes
8 answers

How can I Insert JSON object into Postgres using Java preparedStatement?

I’m struggling to insert a JSON object into my postgres v9.4 DB. I have defined the column called "evtjson" as type json (not jsonb). I am trying to use a prepared statement in Java (jdk1.8) to insert a Json object (built using JEE javax.json…
MaybeWeAreAllRobots
  • 1,105
  • 2
  • 9
  • 12
69
votes
4 answers

Where's my invalid character (ORA-00911)

I'm trying to insert CLOBs into a database (see related question). I can't quite figure out what's wrong. I have a list of about 85 clobs I want to insert into a table. Even when inserting only the first clob I get ORA-00911: invalid character. I…
kentcdodds
  • 27,113
  • 32
  • 108
  • 187
67
votes
6 answers

Using setDate in PreparedStatement

In order to make our code more standard, we were asked to change all the places where we hardcoded our SQL variables to prepared statements and bind the variables instead. I am however facing a problem with the setDate(). Here is the…
roymustang86
  • 8,054
  • 22
  • 70
  • 101
65
votes
5 answers

Is there a way to retrieve the autoincrement ID from a prepared statement

Is there a way to retrieve the auto generated key from a DB query when using a java query with prepared statements. For example, I know AutoGeneratedKeys can work as follows. stmt = conn.createStatement(); stmt.executeUpdate(sql,…
jW.
  • 9,280
  • 12
  • 46
  • 50
62
votes
3 answers

Using Prepared Statement, how I return the id of the inserted row?

I want retrieve the id of a inserted row in the database, but I don't know how to do this. I tried to return using the SQL clause RETURNING id, but not works. How I can return the id after the insertion of a row?
Renato Dinhani
  • 35,057
  • 55
  • 139
  • 199
62
votes
4 answers

How to use a tablename variable for a java prepared statement insert

I am using a java PreparedStatment object to construct a series of batched INSERT queries. The query statement is of the format... String strQuery = "INSERT INTO ? (col1, col2, col3, col4, col5) VALUES (?,?,?,?,?,?);"; ...so both field values and…
ForestSDMC
  • 775
  • 2
  • 7
  • 12
60
votes
3 answers

DIfference Between Stored Procedures and Prepared Statements?

What is the difference between Stored Procedures and Prepared Statements... And which one is better and why...!! I was trying to google it but haven't got any better article...
arsenal
  • 23,366
  • 85
  • 225
  • 331
59
votes
11 answers

PreparedStatements and performance

So I keep hearing that PreparedStatements are good for performance. We have a Java application in which we use the regular 'Statement' more than we use the 'PreparedStatement'. While trying to move towards using more PreparedStatements, I am trying…
Kapsh
  • 20,751
  • 13
  • 36
  • 44
52
votes
7 answers

Variable column names using prepared statements

I was wondering if there was any way to specify returned column names using prepared statements. I am using MySQL and Java. When I try it: String columnNames="d,e,f"; //Actually from the user... String name = "some_table"; //From user... String…
KLee1
  • 6,080
  • 4
  • 30
  • 41
51
votes
7 answers

Does Python support MySQL prepared statements?

I worked on a PHP project earlier where prepared statements made the SELECT queries 20% faster. I'm wondering if it works on Python? I can't seem to find anything that specifically says it does or does NOT.
rubayeet
  • 9,269
  • 8
  • 46
  • 55
1
2
3
99 100