Stack Overflow
Stack Overflow

Questions tagged [prepared-statement]

A Prepared Statement (or parameterized statement) is a precompiled SQL statement that serves to improve performance and mitigate SQL injection attacks. Prepared statements are used in many popular Relational Database Management Systems.

Prepared statements separate data binding from execution. Separating statement preparation from execution can be more efficient for statements that are executed multiple times, because the preparation phase need be done only once. For example, if you need to insert a bunch of rows, you can prepare an INSERT statement once and then execute it repeatedly, binding successive row values to it for each execution. A prepared statement can contain placeholders to indicate where data values should appear. After you prepare the statement, bind specific values to the placeholders (either before or at statement-execution time), then substitute the values into the statement before sending it to the database server.

Also see: ,

6193 questions
51
votes
5 answers

Python MYSQL update statement

I'm trying to get this Python MYSQL update statement correct(With Variables): cursor.execute ("UPDATE tblTableName SET Year=%s" % Year ", Month=%s" % Month ", Day=%s" % Day ", Hour=%s" % Hour ", Minute=%s" Minute "WHERE Server=%s " % ServerID) …
Adam Chetnik
  • 1,906
  • 5
  • 27
  • 38
50
votes
5 answers

How to deal with (maybe) null values in a PreparedStatement?

The statement is SELECT * FROM tableA WHERE x = ? and the parameter is inserted via java.sql.PreparedStatement 'stmt' stmt.setString(1, y); // y may be null If y is null, the statement returns no rows in every case because x = null is always false…
Zeemee
  • 10,486
  • 14
  • 51
  • 81
44
votes
4 answers

How to use an arraylist as a prepared statement parameter

I have looked and have been unable to find an answer to the following challenge I am having. It seems pretty straightforward but I have been unable to resolve it. I have an ArrayList of record ids that are type Long -> ArrayList. I would…
Thomas Grady
  • 752
  • 2
  • 11
  • 22
42
votes
5 answers

Using prepared statements with JDBCTemplate

I'm using the JDBC template and want to read from a database using prepared statements. I iterate over many lines in a .csv file, and on every line I execute some SQL select queries with corresponding values. I want to speed up my reading from the…
user321068
41
votes
3 answers

Get last insert id after a prepared insert with PDO

I'm using PHP PDO with PostgreSQL for a new project. Given the following function, how can I return the id of the row just inserted? It doesn't work the way it looks now. function adauga_administrator($detalii) { global $db; $ultima_logare…
Psyche
  • 8,513
  • 20
  • 70
  • 85
41
votes
13 answers

SQLite: bind list of values to "WHERE col IN ( :PRM )"

all I want to do is send a query like SELECT * FROM table WHERE col IN (110, 130, 90); So I prepared the following statement SELECT * FROM table WHERE col IN (:LST); Then I use sqlite_bind_text(stmt, 1, "110, 130, 90", -1,…
Sebastian
  • 2,109
  • 1
  • 20
  • 15
41
votes
4 answers

Does the preparedStatement avoid SQL injection?

I have read and tried to inject vulnerable sql queries to my application. It is not safe enough. I am simply using the Statement Connection for database validations and other insertion operations. Is the preparedStatements safe? and moreover will…
Mohamed Saligh
  • 12,029
  • 19
  • 65
  • 84
40
votes
6 answers

In JDBC, why do parameter indexes for prepared statements begin at 1 instead of 0?

Everywhere else in Java, anything with an index starts at 0. Is there a reason for the change here or is this just bad design?
Paul Wicks
  • 62,960
  • 55
  • 119
  • 146
39
votes
7 answers

Return number of rows affected by SQL UPDATE statement in Java

I'm using a MySQL database and accessing it through Java. PreparedStatement prep1 = this.connection.prepareStatement( "UPDATE user_table SET Level = 'Super' WHERE Username = ?"); prep1.setString(1, username); The update…
Krt_Malta
  • 9,265
  • 18
  • 53
  • 91
39
votes
2 answers

SQLite/C# Connection Pooling and Prepared Statement Confusion

I have been spending some time reading different best practices for databases and for SQLite specifically. While reading I found I was doing many things I shouldn't be doing and when attempting to fix these issues I became confused when thinking…
Lux782
  • 451
  • 1
  • 4
  • 5
38
votes
3 answers

Java PreparedStatement retrieving last inserted ID

This answer to this question done this way seems to be very difficult to find on the internet. Basically I am inserting values into a MySQL database using PreparedStatement. I use the PreparedStatement to escape the data to prevent SQL Injection…
Devin Dixon
  • 11,553
  • 24
  • 86
  • 167
37
votes
2 answers

pdo prepared statements with wildcards

I want to execute the following mysql query: SELECT * FROM `gc_users` WHERE `name` LIKE '%anyname%' I tried this without success: $stmt = $dbh->prepare("SELECT * FROM `gc_users` WHERE `name` LIKE :name"); $stmt->bindParam(':name', "%" . $name .…
K. D.
  • 4,041
  • 9
  • 48
  • 72
37
votes
1 answer

bind_param Number of variables doesn't match number of parameters in prepared statement

Here is a snippet from my code: $stmt = $mysqli->prepare("SELECT DISTINCT model FROM vehicle_types WHERE year = ? AND make = '?' ORDER by model"); $stmt->bind_param('is', $year, $make); $stmt->execute(); When I echo out the values for $year…
TMorgan
  • 655
  • 1
  • 7
  • 13
36
votes
6 answers

PDO were rows affected during execute statement

I have found many ways to use the exec statement for PDO, but I'm not sure it helps me. My understanding is that I have to use the execute() function for prepared statements. I am updating a row with data from user input, so I would like to use a…
MaurerPower
  • 2,046
  • 7
  • 26
  • 48
35
votes
4 answers

Bulk insert in Java using prepared statements batch update

I am trying to fill a resultSet in Java with about 50,000 rows of 10 columns and then inserting them into another table using the batchExecute method of PreparedStatement. To make the process faster I did some research and found that while reading…
Mrinmoy
  • 1,611
  • 3
  • 18
  • 20
1 2
3
99 100