Executing SQL commands with executeUpdate() or through PrepareStatement objects v42.7.3.1
In the previous example, ListEmployees
executed a SELECT
statement using the Statement.executeQuery()
method. executeQuery()
was designed to execute query statements so it returns a ResultSet
that contains the data returned by the query. The Statement
class offers a second method that you use to execute other types of commands (UPDATE
, INSERT
, DELETE
, and so forth). Instead of returning a collection of rows, the executeUpdate()
method returns the number of rows affected by the SQL command it executes.
The signature of the executeUpdate()
method is:
Provide this method with a single parameter of type String
containing the SQL command that you want to execute.
Avoid user-sourced values
We recommend that this string does not contain any user-sourced values. Avoid concatenating strings and values to compose your SQL command. Instead, use PreparedStatements which are reusable, parameterized SQL statements which safely manage the use of variable values in the SQL statement.
Using executeUpdate() to INSERT data
The example that follows shows using the executeUpdate()
method to add a row to the emp
table.
Code samples
The following examples are not a complete application, only example methods. These code samples don't include the code required to set up and tear down a Connection
. To experiment with the example, you must provide a class that invokes the sample code.
The addOneEmployee()
method expects a single argument from the caller, a Connection
object that must be connected to an EDB Postgres Advanced Server database:
A Statement
object is needed to run ExecuteUpdate()
. This can be obtained by using createStatement()
on the Connection object. We use the try-resource style here to ensure the statement object is released when the try block is exited.
The executeUpdate()
method returns the number of rows affected by the SQL statement (an INSERT
typically affects one row, but an UPDATE
or DELETE
statement can affect more).
If executeUpdate()
returns without an error, the call to System.out.printf
displays a message to the user that shows the number of rows affected.
The catch block displays an appropriate error message to the user if the program encounters an exception:
You can use executeUpdate()
with any SQL command that doesn't return a result set. It is best suited to situations where a specific command needs to be executed and that command takes no parameters.
To use the DROP TABLE
command to delete a table from a database:
To use the CREATE TABLE
command to add a new table to a database:
To use the ALTER TABLE
command to change the attributes of a table:
However, you should use PreparedStatement
when passing values to an SQL insert or update statement, especially if those values have come from user input.
Using PreparedStatements to send SQL commands
Many applications execute the same SQL statement over and over again, changing one or more of the data values in the statement between each iteration. If you use a Statement
object to repeatedly execute a SQL statement, the server must parse, plan, and optimize the statement every time. JDBC offers another Statement
derivative, the PreparedStatement
, to reduce the amount of work required in such a scenario.
The following shows invoking a PreparedStatement
that accepts an employee ID and employee name and inserts that employee information in the emp
table:
This version of an add employee method takes as parameters the connection and values for the employee number (an integer) and name (a string).
Instead of hard coding data values in the SQL statement, you insert placeholders to represent the values to change with each iteration. The example shows an INSERT
statement that includes two placeholders (each represented by a question mark):