What is the difference between Statement, PreparedStatement, and CallableStatement in JDBC?

In JDBC, there are three main types of interfaces for executing SQL queries: Statement, PreparedStatement, and CallableStatement.

Statement: Statement interface in JDBC is used to execute static SQL queries. It is the simplest form of SQL statement and is used for executing queries that do not have input parameters. However, using Statement for executing SQL queries with user inputs can make your application vulnerable to SQL injection attacks.

PreparedStatement: PreparedStatement interface extends the Statement interface and is used to execute parameterized SQL queries. It allows you to execute SQL queries with input parameters, which helps in preventing SQL injection attacks. PreparedStatement is precompiled, which can lead to improved performance when executing the same query multiple times with different parameters.

CallableStatement: CallableStatement interface is used to execute stored procedures in the database. It extends the PreparedStatement interface and allows you to call stored procedures with input and output parameters. CallableStatement is used when you need to execute complex database operations that cannot be achieved with simple SQL queries.

In summary, Statement is used for executing simple SQL queries without input parameters, PreparedStatement is used for executing parameterized SQL queries, and CallableStatement is used for executing stored procedures in the database.

Understanding the differences between these interfaces is important for writing efficient and secure JDBC code.