Prepared statements are used for developing database applications. Prepared statements enable you to use SQL statements with placeholders in methods of the language selected for the database application.
Use a question mark ? as placeholder in the SQL statement.
Prepared statements have the following advantages when compared to simple SQL statements:
They are more efficient, because the database system only needs to parse them once, even if they are used more than once (see Shared SQL).
They are more secure since they separate SQL logic from the data specified by the user, thus reducing the risk of a user deliberately entering invalid values (SQL injection).
Interface |
Implementation |
---|---|
JDBC |
PreparedStatement class |
ODBC |
SQLPrepare method |
SQLDBC |
SQLDBC_PrepareStatement class |
PHP |
maxdb_prepare |
Perl |
prepare |
Python |
Method prepare (class SapDB_Session), Class SapDB_Prepared (module sdb.sql) |
Prepared statement for the SAP MaxDB SQLDBC interface:
SQLDBC_PrepareStatement *stmt = conn->createPreparedStatement();
SQLDBC_Retcode rc = stmt->prepare("SELECT zip, name FROM hotel.city WHERE name = ?");
if (rc != SQLDBC_OK) {
// Handle error ...
}
rc = stmt->execute();
if (rc != SQLDBC_OK) {
// Handle error ...
}
Database Studio, Testing Prepared Statements
SAP MaxDB Security Guide, Checking User Inputs in SQL Statements.