Re: PHP5 & Commercial Development

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Robert Cummings skrev:

I sincerely question the competence of someone who advocates a one size
fits all approach to programming. There are many reasons why a developer
may work with the old-school interface calls. For instance they may be
supporting an old school application. They might be writing their own
abstract layer. They might be optimizing an extremely loaded system
whereby explicitly using the API calls improves speed. Prepared
statements only improve speed when making multiple queries to the
database having the same format. They slow things down when making
unique queries. Any developer worth his salt doesn't need prepared
statements to improve security, and assuming prepared statements will
protect you is silly since they cannot protect against everything. A
professional knows when to use any given approach given the environment
and requirements.

Cheers,
Rob.
So I was perhaps a bit inflammatory in my post. But I do not see myself completely rebutted.
1. Maintaining legacy apps does not fall under the categories I was referring to. If you are bound by legacy constraints it is another ballgame.
2. In a short mail like this one there is not room to expand every minute detail. I do realise that PDO is not the best way to go for every app. But in saying that prepared statements is a really good way to protect against SQL-injection, I'm just echoing Ilia Alshanetsky (spelling?) and a few other rather renowned security experts. Of course one should always have a "defense in depth", though.
3. Speed loss from prepared statements are usually negligible even for a single query. There are tests published on the net. And if one wants speed, one should probably consider a caching layer between PHP and ones DBMS. The OO-model in PHP 5 would make such multi tiered apps simpler to develop as well.
The question PHP 4 or PHP 5: If you stay with 4 you are bound to a one size fits all solution. In PHP 5 you can use DB-specific drivers or PDO or a PHP-based abstraction layer. That's *more* choice, not less!
To summarize: With PDO or mysqli I can use both old school SQL and prepared statements, in PHP 4 there are fewer options! My case for PHP 5 stands intact.
And finally: With each new release of PHP we can expect improvements in PDO, making it a more future safe alternative. 


Lars Gunther

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux