You are on the right track, Raja. The basic "createStatement()" method returns a "Statement" instance that can be used to send SQL to the database for execution. Every SQL you send will get validated, compiled, and executed.
With the "prepareStatement(...)" method call you pass in the SQL once (at creation time) where it can be validated and compiled. It will throw an exeception if the SQL is syntactically invalid, or references tables or columns that don't exist, or if there number of parameters (?) don't match up with the number of values specified. That's what happens when you do:
With this prepared statement you can do only one thing: insert records into the "EMP" table. You have now told the database what you want to do, but not what values to insert. That comes with the second set of statements:
This means that using the given prepared statement (pstmt), you want to use "Jim" as the first parameter and "274 7071" as the second parameter, and then execute the SQL against the database.
There is overhead in using prepared statements, and if you only insert a few records it will probably take a little more time. However if you insert many records you will see a performance gain.
There is another advantage to using prepared statements, and that is with handling
String and Date/Time data. Some databases use single quotes as text delimiters, others use double quotes, and some recognize either. However if you want to insert character data containing single- and/or double-quotes, this can be tricky using a regular Statement. And if you move from one database to another this can force you to modify your SQL. The same can be said about inserting dates and times: each database has a different format that you have to follow.
But when you use a PreparedStatement, the values you specify with "setString(...)" can contain single quotes or double quotes and the underlying
JDBC classes will take care of the conversion for you. This is a big advantage of using prepared statements.
Good luck!