This article is half-done without your Comment! *** Please share your thoughts via Comment ***
In this post, I am sharing a theory about Prepared or Parameterized Statements of the Database Technology.
What is Prepared or Parameterized Statements?
Prepared or Parameterized statement is one of the features of the database system in which same SQL statement repeatedly executes with high efficiency.
The prepared statements are one kind of the Template and used by application with different parameters.
Database System can execute the same SQL statement without doing the parsing, compiling and optimizing again and again.
More characteristic of Prepared or Parameterized Query:
The statement template is prepared and sent to the database system, and database system performs parsing, compiling and optimization on this template and store without executing it.
Some of the parameters like, WHERE clause not passed during the template creation, and later application, send these parameters to the database system and database system use this template and executes as per the query request.
Prepared statements are beneficial against SQL Injection because the application can prepare parameter using different techniques and protocols.
When the number of records are increasing and indexes are changing frequently at that time Prepared Statements might be fail because in this situation new query plan require for each execution.
All different database technology likes, Microsoft SQL Server, PostgreSQL, MySQL, Oracle is supported parametrized statements.
Please check the small practical example of MySQL Prepared statements.