On Mon, 4 Aug 2008 11:48:39 -0400, "Andrew Ballard" <aballard@xxxxxxxxx> wrote: > On Mon, Aug 4, 2008 at 11:35 AM, Larry Garfield <larry@xxxxxxxxxxxxxxxx> > wrote: >> >> On Mon, 04 Aug 2008 08:33:44 +0200, Per Jessen <per@xxxxxxxxxxxx> wrote: >>> Larry Garfield wrote: >>> >>>> IIRC, the way in SQL to circumvent that is to convert "100%" into >>>> "100%%". However, that does rather defeat the purpose of a prepared >>>> statement if I have to do my own escaping anyway, does it not?=20 >>> >>> Depends on what you perceive the purpose of the prepared statement to >>> be :-) In this context, I tend to think of performance only. Which > is= >>> >>> generally why I can't be bothered with prepared statements in php.=20 >> >> Actually in most cases in PHP you don't get much performance. What you > do get is added security, because prepared statements are cleaner than > cleaner and more reliable than string escaping. Of course, then we run > into the % problem above. >> >> --Larry Garfield > > True. I wish PDO would add an option of creating a parameterized query > WITHOUT preparing it, at least for SQL Server. Why? There is overhead > to creating the statement that way. I prefer using the "prepared > statement" method as it decreases the exposure and risk to SQL > injection. > > I'd like to see an option like the Microsoft ADO library so that I can > prepare the statement if I will be running it several times with > different parameter values each time, or choose not to incur the > overhead if I'm only going to run a statement once. I've solved that at least for the given page request with a caching layer on top of PDO. It caches and reuses the statement objects. The problem is the issue with LIKE as described above, which I still haven't figured out yet. --Larry Garfield -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
