On Wed, Jan 14, 2009 at 10:07 AM, Kyle Terry <kyle@xxxxxxxxxxxxx> wrote: > > > On Wed, Jan 14, 2009 at 9:11 AM, <ceo@xxxxxxxxx> wrote: > >> >> > Doesn't anybody use prepared statements these days? It even helps MySQL >> > AND Oracle cache an execution plan... >> >> Forgive me if I'm wrong, but: >> >> Caching an execution plan for a prepared statement that is run only once >> in the script is just overhead, no? >> >> Or can it actually re-use the same cached statement from a different >> connection by some magical matching up of the context??? Doesn't seem like >> the kind of thing that would be workable, but what do I know? >> >> Now if you said "... allows the DB to cold-stop any SQL injection" you'd >> be 100% right. :-) >> >> So MikeP should really consider using prepared statements for that reason, >> as it lets the DB do the escaping. >> >> PS >> I think MikeP is saying he writes the code once and gets it working, then >> goes back and adds the escaping in later. This is fine if you ALWAYS >> remember to do that, but in a frenzy to release under pressure... Bad Idea! >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > It is over head, but it caches the execution plan for multiple runs of the > script. So different users with different data will use the same cached > query on the database. Saving processing time. It also prevents SQL > injection on the fly because you are indicating what data type each place > holder will need to accept. > > > -- > Kyle Terry | www.kyleterry.com > To elaborate even further, the whole point of prepared statements and created an execution plan is to tell the database EXACTLY how the query should be run. Preventing a drop table or 1=1 being injected. MySQL will just look at it, laugh, and store it in the table or throw an error. -- Kyle Terry | www.kyleterry.com -- Kyle Terry | www.kyleterry.com
