Prepared statements are used for developing database applications. They enable the use of SQL statements with placeholders in methods of the language selected for the database application.
Placeholders can only represent values, not the names of database objects, such as the name of a table, for example. You can use either a question mark (?) or a variable name (:input) as placeholders. If you use the same variable name more than once, this represents more than one parameter.
Advantages of prepared statements over simple SQL statements include:
· They are more efficient, because the database system only needs to parse them once, even if they are used more than once (see shared SQL).
· They are more secure, because they separate the SQL logic and the data specified by the user and so decrease the risk of a user deliberately specifying invalid values (SQL injection). See MaxDB Security Guide, Checking User Inputs in SQL Statements
You can use prepared statements with the following MaxDB interfaces:
MaxDB Interfaces: Prepared Statements
Interface |
Implementation |
JDBC |
Class PreparedStatement |
ODBC |
Method SQLPrepare |
SQLDBC |
Class SQLDBC_PrepareStatement |
PHP |
maxdb_prepare |
Perl |
prepare |
Python |
Prepared statement for the MaxDB SQLDBC interface:
SQLDBC_PrepareStatement *stmt = conn->createPreparedStatement();
SQLDBC_Retcode rc = stmt->prepare("SELECT * FROM CUSTOMER");
if (rc != SQLDBC_OK) {
// Handle error ...
}
rc = stmt->execute();
if (rc != SQLDBC_OK) {
// Handle error ...
}