Describe PreparedStatement interface

PreparedStatement is a feature of JDBC that allows an application developer to create an SQL statement without having to supply arguments at the time the program is compiled. Instead, the arguments can be supplied when the program runs. The parameters are indicated with a "?" when the statement is composed.

The JDBC PreparedStatement interface is a subinterface of the Statement interface and provides several key characteristics that make it a powerful tool for executing parameterized SQL statements in Java applications. Some of the characteristics of the PreparedStatement interface include:

1. Parameterized statements: The PreparedStatement interface allows for the creation of parameterized SQL statements, where input values can be substituted into the statement at runtime using placeholders such as "?" or named parameters.
2. Compilation and caching: PreparedStatements are precompiled at the database side, reducing the processing time required to execute a statement. PreparedStatements can also be cached by the database, providing further performance improvements in subsequent executions of the same statement.
3. SQL Injection prevention: PreparedStatements help to prevent SQL injection attacks by automatically handling special characters that may be present in input values. This reduces the risk of malicious SQL code being inserted into a statement and executed on the database.
4. Better Performance: By using PreparedStatements, queries can be executed faster than normal Statements as they are pre-compiled by the database and the database can reuse them as long as there is no change in the structure of the query.
5. Increased Reusability: PreparedStatements can be used multiple times with different parameters, which increases code reusability and helps to reduce code duplication.

Overall, the PreparedStatement interface provides a more efficient and secure way of executing SQL statements in Java applications by supporting parameterized queries, precompilation, and automatic handling of special characters. These characteristics make it a popular choice for developers working with databases in Java.

You know you need to create and load another table to store physician information. The JDBC skills you have will allow you to load the table using

executeUpdate()

methods, but still you wonder if there is another way to accomplish that. You decide to create a program that will load this new data, but to do it in a batch style format. Rather than having it done interactively, or by writing a specific program to perform only these updates, you would like a more general way to do it. Perhaps the program could be smart enough to pull the SQL statements from a file and execute them without putting them right in the program itself. Such a program could be helpful beyond just its use to insert the physician information. You begin to consider how to accomplish this.
There are a couple of JDBC features that look as if they might help you. The first is PreparedStatement and the other is Batch Statements.

PreparedStatement pstmt = con.prepareStatement("UPDATE hospital SET NAME = ? WHERE ID = ?");
   pstmt.setString(1, "New Hospital");
   pstmt.setInt(2, 10592);

You provide values for these arguments with "setter" methods that have the form

setXXX()

.
The XXX portion refers to the SQL data type used in the parameter. This is similar to the getXXX() methods you saw earlier when we discussed ResultsSets. The parameters are referred by the order in which they are used. The first "?" is 1, the second is 2, and so on. Click the View Code button to see an example.
Here, con is an active connection, of course. Notice the positional references and that they are used in the "setter" methods to assign a value to a parameter. Notice also that a PreparedStatement object is created from a Connection object, just as a regular statement is created. Since PreparedStatement extends Statement, all the methods of a Statement object are available in a PreparedStatement object.

A PreparedStatement is actually compiled and saved for you to reuse (at least as long as you have the PreparedStatement object open). This makes it somewhat more efficient than the standard way of using a Statement. If you execute a PreparedStatement more than once, the database will have a plan for performing its work already available for those subsequent calls, and it won't have to recreate that plan.
The following diagram compares the non PreparedStatement and PreparedStatement execution.
In the next lesson, you will learn about batch processing.