Before we jump to the difference, let’s understand what JDBC is first.
JDBC (Java Database Connectivity) is a Java API to connect and execute queries with the database. It is the industry standard for database-independent connectivity that provides universal data access, especially the data stored in Relational Databases. It uses JDBC drivers written in Java programming language to connect any Java application with the database. It allows us to connect to all corporate databases even in a heterogeneous environment.
Statement and PreparedStatement are classes that represent SQL statements to interact with the database server. Let’s discuss them in detail and explain the difference between the two.
What is Statement?
Statement is a JDBC interface used for general-purpose access to the SQL database, especially while using static SQL statements at the runtime.
It defines methods and properties to interact with the database using SQL or PL/SQL commands. It is used to execute standard SQL statements such as CREATE, UPDATE, RETREIVE, and DELET (CRUD). It works as a carrier between a Java program and the database but it cannot accept parameters at runtime and it’s not pre-compiled meaning the same SQL statement cannot be used multiple times which accounts for slow performance than PreparedStatement. It is more prone to SQL Injection.
What is PreparedStatement?
It is an extended and the powerful version of the Statement interface which may or may not be parameterized meaning unlike Statement, it can take input parameters which accounts for faster performance.
It also helps to write Object Oriented code with setter methods which improve performance of the applications. And the best part, it is executed via a non-SQL binary communication protocol which is basically a non-textual based format used to communicate between clients and servers which ultimately reduces the bandwidth usage thereby promoting faster communication calls to server.
In simple terms, it is an object that represents a pre-compiled SQL statement.
Difference between JDBC Statement and PreparedStatement
Basic
JDBC Statement and PreparedStatement are classes that represent SQL statements to send SQL or PL/SQL commands and receive data from the database. The Statement interface provides methods and properties to execute queries and changes with the database. It’s an interface used for general purpose access to the database but it cannot accept IN and OUT parameters. The PreparedStatement interface, on the other hand, extends the Statement interface and is used to execute a pre-compiled SQL statement in JDBC so that the same SQL statement can be used multiple times.
Precompiled Statement
Unlike a JDBC Statement, PreparedStatement is a precompiled statement which means when it is executed, the DBMS can run the SQL statement without needing to compile it first. In simple terms, the Statements can be run multiple times without having to compile it each and every time. All it does is extend the Statement interface and add the ability to use bind variables. This allows for faster execution, especially when it’s used with batches. The Statement, on the other hand, is not precompiled which makes it less reliable than PreparedStatement.
Input Parameters
A Statement interface cannot pass parameters to SQL queries at runtime as it can only be used to execute static SQL statements and it cannot accept input parameters. An input parameter is a placeholder in an SQL statement used to exchange data between stored procedures and functions. PreparedStatement interface, on the contrary, can pass parameters to SQL queries at runtime and it can have one or more IN parameters which ultimately allows us to execute dynamic queries.
Binary Communication Protocol
PreparedStatement is executed via a non-SQL binary communication protocol meaning a non-textual based format is used to communicate between clients and servers instead of the less efficient text protocol. In binary protocols, the data is sent in binary form which is much faster to parse and is the fastest and the most efficient way to interface a client to a server. This results in less bandwidth usage and faster communication calls to server which eventually speed things up with repetitive select queries. No such protocol is implemented in the Statement interface.
SQL Injection
It refers to an injection attack that might destroy the database. It is one of the most common techniques to inject malicious code into SQL statements to manipulate the database into revealing contents to the attacker. A malicious code is injected in an application and then passed to the SQL database to gain access to the various resources or make changes to the data. PreparedStatement is resilient against SQL injection because it uses parameterized queries to automatically escape special characters such as quotes. Statement cannot escape SQL injection as we use concatenated SQL strings in JDBC.
Statement vs. PreparedStatement: Comparison Chart
Summary of JDBC Statement vs. PreparedStatement
The JDBC Statement and PreparedStatement interfaces define methods and properties to send and receive data from the SQL database. While a basic Statement is enough to execute simple SQL statements, it is hard to beat the flexibility and the benefits provided by using PreparedStatement. While the Statement interface is a general purpose carrier used to execute static SQL statements, PreparedStatement is a parameterized statement used to execute dynamic SQL statements. The main difference between the two is that PreparedStatement is a pre-compiled statement meaning the same SQL command can be used multiple times which accounts for better performance and faster results.