Java Notes
Master PreparedStatement — parameterized queries, SQL injection prevention, performance benefits, batch operations, and CRUD patterns.
What is PreparedStatement?
PreparedStatement extends Statement and represents a precompiled SQL statement with parameter placeholders (?). It's the standard way to execute parameterized queries safely and efficiently.
// Statement (UNSAFE for user input)
String sql = "SELECT * FROM users WHERE name = '" + userName + "'"; // SQL injection!
// PreparedStatement (SAFE)
String sql = "SELECT * FROM users WHERE name = ?";
PreparedStatement pstmt = conn.prepareStatement(sql);
pstmt.setString(1, userName); // Parameters are properly escaped
ResultSet rs = pstmt.executeQuery();Setting Parameters
PreparedStatement pstmt = conn.prepareStatement(
"INSERT INTO employees (first_name, last_name, email, department, salary, hire_date, is_active) " +
"VALUES (?, ?, ?, ?, ?, ?, ?)");
// Parameter index starts at 1 (not 0!)
pstmt.setString(1, "John"); // VARCHAR
pstmt.setString(2, "Doe"); // VARCHAR
pstmt.setString(3, "john@example.com"); // VARCHAR
pstmt.setString(4, "Engineering"); // VARCHAR
pstmt.setDouble(5, 85000.00); // DECIMAL
pstmt.setDate(6, java.sql.Date.valueOf("2024-01-15")); // DATE
pstmt.setBoolean(7, true); // BOOLEAN
int rows = pstmt.executeUpdate();
// All setter methods:
pstmt.setInt(1, 42); // INT
pstmt.setLong(1, 123456789L); // BIGINT
pstmt.setFloat(1, 3.14f); // FLOAT
pstmt.setDouble(1, 3.14159); // DOUBLE
pstmt.setString(1, "text"); // VARCHAR, TEXT
pstmt.setBoolean(1, true); // BOOLEAN, TINYINT(1)
pstmt.setBigDecimal(1, new BigDecimal("99.99")); // DECIMAL
pstmt.setDate(1, java.sql.Date.valueOf(LocalDate.now())); // DATE
pstmt.setTime(1, java.sql.Time.valueOf(LocalTime.now())); // TIME
pstmt.setTimestamp(1, java.sql.Timestamp.valueOf(LocalDateTime.now())); // DATETIME
pstmt.setNull(1, Types.VARCHAR); // NULL value
pstmt.setBytes(1, byteArray); // BINARY, VARBINARY
pstmt.setBlob(1, inputStream); // BLOB
pstmt.setClob(1, reader); // CLOB, TEXT
pstmt.setObject(1, anyObject); // Auto-detect typeComplete CRUD with PreparedStatement
Handling NULL Values
// Setting NULL
pstmt.setNull(4, Types.VARCHAR); // Explicitly set NULL
pstmt.setString(4, null); // Also works for most drivers
// Reading NULL
ResultSet rs = pstmt.executeQuery();
while (rs.next()) {
double salary = rs.getDouble("salary");
if (rs.wasNull()) {
System.out.println("Salary is NULL");
}
// Better approach: use wrapper types
Integer age = (Integer) rs.getObject("age"); // Returns null if DB NULL
String phone = rs.getString("phone"); // Returns null if DB NULL
}Salary is NULL
Batch Operations with PreparedStatement
Inserted " + count + " employees in batch
PreparedStatement for Complex Queries
Interview Questions
Q1: Why is PreparedStatement preferred over Statement?
Answer: (1) Prevents SQL injection by separating SQL from data, (2) Better performance through query plan caching, (3) Type-safe parameter binding, (4) Supports binary data (BLOB/CLOB), (5) More readable code without string concatenation.
Q2: How does PreparedStatement prevent SQL injection?
Answer: Parameters (?) are treated as data, not SQL code. The database driver escapes special characters and the database engine never interprets parameter values as SQL syntax — they're bound after parsing.
Q3: What is the difference between setNull() and passing null to setString()?
Answer: Both set the parameter to SQL NULL. setNull(index, Types.X) is explicit and works for all types. setString(index, null) works for most drivers but setNull() is more portable and required for some column types.
Q4: How does batch processing improve performance?
Answer: Instead of N network round-trips for N inserts, batch processing sends all statements in one network call. Combined with rewriteBatchedStatements=true in MySQL, it can convert individual INSERTs into multi-row INSERT which is 10-50x faster.
Q5: What happens if you call setString(1, value) when the column is INT?
Answer: The database will attempt type conversion. If the string is a valid number (e.g., "42"), it works. Otherwise, you get a SQLException. Always use the correct setXxx() method matching the column type.
Q6: Can you reuse a PreparedStatement with different parameters?
Answer: Yes! That's the main advantage. Call clearParameters(), set new values, and execute again. The compiled execution plan is reused, saving parse time.
Summary
In this chapter, we learned about PreparedStatement in JDBC in detail. Here are the key points:
- Basic introduction to the concept and why it is needed
- Syntax and structure with complete examples
- Internal working and best practices
- Real-world applications and use cases
- Common mistakes and how to avoid them
- How this topic is asked in interviews
To practice these concepts, write and run the code in your IDE and verify the output. Modify each example and experiment so that you deeply understand the concept.
Exam Focus
Revise definitions, diagrams, examples, and short-answer points for PreparedStatement in JDBC.
Interview Use
Prepare one clear explanation, one practical example, and one common mistake for this Java Master Course topic.
Search Terms
java-master-course, java master course, java, master, course, jdbc, preparedstatement, preparedstatement in jdbc
Related Java Master Course Topics