Originally posted by seby mathew:
There's a popular belief that using a PreparedStatement object is faster than using a Statement object. After all, a prepared statement has to verify its metadata against the database only once, while a statement has to do it every time. The truth of the matter is that it takes about 65 iterations of a prepared statement before its total time for execution catches up with a statement.
- www.oreilly.com
The URL you wished to cite is incomplete, the full URL is:
www.oreilly.com Oracle/JDBC That widely cited performance
test (using Oracle) has a major bug in it and was totally discredited years ago; it was actually comparing the time to execute a set of Statements with the time to load the PreparedStatement class plus execute the same sized set of PreparedStatements. Class loading time is very significant, so it was an "apples to oranges" test that gives wrong and misleading results.
In fact, when the test is done correctly, executing a single PreparedStatement is about as fast as a single Statement, and after that, PreparedStatement is faster (on Oracle). A quick summary of results:
Rows to Insert Statement PrepareStatement
1 0.05 seconds 0.05 seconds
10 0.30 seconds 0.18 seconds
100 2.69 seconds 1.44 seconds
1000 28.25 seconds 15.25 seconds
See here, about the 2nd or 3rd section down:
http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:10128287191505 The code that produces this result is supplied, so you can try it for yourself.
Because PreparedStatement objects are precompiled, their execution can be faster than that of Statement objects. Consequently, an SQL statement that is executed many times is often created as a PreparedStatement object to increase efficiency
- java.sun.com
When it comes to Oracle database performance, I would rather believe Tom Kyte, a VP at Oracle and the author of my above-cited link to anything Sun has to say.
'protection against SQL-injection attacks' is ofcourse an advantage but not the primary advantage.
I don't know how you rate something "primary", but I consider preventing unauthorized use or even unauthorized destruction of data by strangers on the Internet pretty important.
this is not the right space to discuss the company policy
Using PreparedStatement correctly is important enough that a company that has been using JDBC extensively for 7 years considers the inappropriate use of Statement as a warning sign when making hiring decisions.