Java Academy Logo

Java Academy

JDBC Statement Interface

The Statement interface executes static SQL without parameters. While simple for learning, PreparedStatement is preferred for production due to security and performance.

Creating a Statement

Statement stmt = connection.createStatement();
ResultSet rs = stmt.executeQuery("SELECT * FROM products WHERE category = 'electronics'");
while (rs.next()) {
    System.out.println(rs.getString("name"));
}

executeUpdate for DML

int rows = stmt.executeUpdate(
    "UPDATE accounts SET balance = balance - 100 WHERE id = 42");
System.out.println("Updated rows: " + rows);

SQL Injection Warning

Never concatenate user input into Statement SQL strings. An attacker could inject malicious SQL. Always use PreparedStatement with parameterized queries for any user-supplied data.

Frequently Asked Questions

When is Statement acceptable?

For static DDL (CREATE TABLE) or admin scripts with no user input. For all application queries with dynamic values, use PreparedStatement.

Continue Learning