Re: Quotes in querys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 14, 2009 at 9:11 AM, <ceo@xxxxxxxxx> wrote:

>
> > Doesn't anybody use prepared statements these days? It even helps MySQL
> > AND Oracle cache an execution plan...
>
> Forgive me if I'm wrong, but:
>
> Caching an execution plan for a prepared statement that is run only once in
> the script is just overhead, no?
>
> Or can it actually re-use the same cached statement from a different
> connection by some magical matching up of the context??? Doesn't seem like
> the kind of thing that would be workable, but what do I know?
>
> Now if you said "... allows the DB to cold-stop any SQL injection" you'd be
> 100% right. :-)
>
> So MikeP should really consider using prepared statements for that reason,
> as it lets the DB do the escaping.
>
> PS
> I think MikeP is saying he writes the code once and gets it working, then
> goes back and adds the escaping in later.  This is fine if you ALWAYS
> remember to do that, but in a frenzy to release under pressure... Bad Idea!
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
It is over head, but it caches the execution plan for multiple runs of the
script. So different users with different data will use the same cached
query on the database. Saving processing time. It also prevents SQL
injection on the fly because you are indicating what data type each place
holder will need to accept.

-- 
Kyle Terry | www.kyleterry.com

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux