PreparedStatement

The previous lesson built SQL strings by gluing user input into the query text and showed how that opens the door to SQL injection. PreparedStatement is the fix. It separates the SQL template from the values that fill it in, which makes injection impossible and lets the database cache the query plan across calls. This lesson covers placeholders, setter methods, reusing a prepared statement for many calls, batch inserts, and retrieving the auto-generated keys you get back from an INSERT.