On Mon, Aug 4, 2008 at 11:35 AM, Larry Garfield <larry@xxxxxxxxxxxxxxxx> wrote: > > On Mon, 04 Aug 2008 08:33:44 +0200, Per Jessen <per@xxxxxxxxxxxx> wrote: >> Larry Garfield wrote: >> >>> IIRC, the way in SQL to circumvent that is to convert "100%" into >>> "100%%". However, that does rather defeat the purpose of a prepared >>> statement if I have to do my own escaping anyway, does it not?=20 >> >> Depends on what you perceive the purpose of the prepared statement to >> be :-) In this context, I tend to think of performance only. Which is= >> >> generally why I can't be bothered with prepared statements in php.=20 > > Actually in most cases in PHP you don't get much performance. What you do get is added security, because prepared statements are cleaner than cleaner and more reliable than string escaping. Of course, then we run into the % problem above. > > --Larry Garfield True. I wish PDO would add an option of creating a parameterized query WITHOUT preparing it, at least for SQL Server. Why? There is overhead to creating the statement that way. I prefer using the "prepared statement" method as it decreases the exposure and risk to SQL injection. I'd like to see an option like the Microsoft ADO library so that I can prepare the statement if I will be running it several times with different parameter values each time, or choose not to incur the overhead if I'm only going to run a statement once. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
