> -----Original Message----- > From: Andrew Ballard [mailto:aballard@xxxxxxxxx] > Sent: Monday, August 04, 2008 10:49 AM > To: PHP General list > Subject: Re: PDO prepared statements and LIKE escaping > > On Mon, Aug 4, 2008 at 11:35 AM, Larry Garfield > <larry@xxxxxxxxxxxxxxxx> wrote: > > > > On Mon, 04 Aug 2008 08:33:44 +0200, Per Jessen <per@xxxxxxxxxxxx> > wrote: > >> Larry Garfield wrote: > >> > >>> IIRC, the way in SQL to circumvent that is to convert "100%" into > >>> "100%%". However, that does rather defeat the purpose of a prepared > >>> statement if I have to do my own escaping anyway, does it not?=20 > >> > >> Depends on what you perceive the purpose of the prepared statement > to > >> be :-) In this context, I tend to think of performance only. Which > is= > >> > >> generally why I can't be bothered with prepared statements in > php.=20 > > > > Actually in most cases in PHP you don't get much performance. What > you do get is added security, because prepared statements are cleaner > than cleaner and more reliable than string escaping. Of course, then > we run into the % problem above. > > > > --Larry Garfield > > True. I wish PDO would add an option of creating a parameterized query > WITHOUT preparing it, at least for SQL Server. Why? There is overhead > to creating the statement that way. I prefer using the "prepared > statement" method as it decreases the exposure and risk to SQL > injection. > > I'd like to see an option like the Microsoft ADO library so that I can > prepare the statement if I will be running it several times with > different parameter values each time, or choose not to incur the > overhead if I'm only going to run a statement once. I believe that (and don't quote me on this) newer versions of SQL Server are setup to where EVERYTHING is "compiled", even ordinary statements. A lot of the reading I have done about execution paths of SQL Server queries lead me to believe that they're all handled in a generic manner by default. 'Course... I could be wrong, or perhaps I was reading about special case scenarios. Todd Boyd Web Programmer
