Fwd: Quotes in querys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jan 14, 2009 at 10:07 AM, Kyle Terry <kyle@xxxxxxxxxxxxx> wrote:

>
>
> On Wed, Jan 14, 2009 at 9:11 AM, <ceo@xxxxxxxxx> wrote:
>
>>
>> > Doesn't anybody use prepared statements these days? It even helps MySQL
>> > AND Oracle cache an execution plan...
>>
>> Forgive me if I'm wrong, but:
>>
>> Caching an execution plan for a prepared statement that is run only once
>> in the script is just overhead, no?
>>
>> Or can it actually re-use the same cached statement from a different
>> connection by some magical matching up of the context??? Doesn't seem like
>> the kind of thing that would be workable, but what do I know?
>>
>> Now if you said "... allows the DB to cold-stop any SQL injection" you'd
>> be 100% right. :-)
>>
>> So MikeP should really consider using prepared statements for that reason,
>> as it lets the DB do the escaping.
>>
>> PS
>> I think MikeP is saying he writes the code once and gets it working, then
>> goes back and adds the escaping in later.  This is fine if you ALWAYS
>> remember to do that, but in a frenzy to release under pressure... Bad Idea!
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
> It is over head, but it caches the execution plan for multiple runs of the
> script. So different users with different data will use the same cached
> query on the database. Saving processing time. It also prevents SQL
> injection on the fly because you are indicating what data type each place
> holder will need to accept.
>
>
> --
> Kyle Terry | www.kyleterry.com
>

To elaborate even further, the whole point of prepared statements and
created an execution plan is to tell the database EXACTLY how the query
should be run. Preventing a drop table or 1=1 being injected. MySQL will
just look at it, laugh, and store it in the table or throw an error.


-- 
Kyle Terry | www.kyleterry.com



-- 
Kyle Terry | www.kyleterry.com

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux