Prepared Statement

Prepared statements are used for developing database applications. They enable the use of SQL statements with placeholders in methods of the language selected for the database application.

Placeholders can only represent values, not the names of database objects, such as the name of a table, for example. You can use either a question mark (?) or a variable name (:input) as placeholders. If you use the same variable name more than once, this represents more than one parameter.

Advantages of prepared statements over simple SQL statements include:

·        They are more efficient, because the database system only needs to parse them once, even if they are used more than once (see shared SQL).

·        They are more secure, because they separate the SQL logic and the data specified by the user and so decrease the risk of a user deliberately specifying invalid values (SQL injection). See MaxDB Security Guide, Checking User Inputs in SQL Statements

You can use prepared statements with the following MaxDB interfaces:

MaxDB Interfaces: Prepared Statements

Interface

Implementation

JDBC

Class PreparedStatement

ODBC

Method SQLPrepare

SQLDBC

Class SQLDBC_PrepareStatement

PHP

maxdb_prepare

Perl

prepare

Python

Method prepare, Class SAPDB_Prepared

Example

Prepared statement for the MaxDB SQLDBC interface:

SQLDBC_PrepareStatement *stmt = conn->createPreparedStatement();

   SQLDBC_Retcode rc = stmt->prepare("SELECT * FROM CUSTOMER");

   if (rc != SQLDBC_OK) {

     // Handle error ...

   }

   rc = stmt->execute();

   if (rc != SQLDBC_OK) {

     // Handle error ...

   }