Re: Fwd: Quotes in querys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2009-01-14 at 10:11 -0800, Kyle Terry wrote:

> On Wed, Jan 14, 2009 at 10:07 AM, Kyle Terry <kyle@xxxxxxxxxxxxx> wrote:
> 
> >
> >
> > On Wed, Jan 14, 2009 at 9:11 AM, <ceo@xxxxxxxxx> wrote:
> >
> >>
> >> > Doesn't anybody use prepared statements these days? It even helps MySQL
> >> > AND Oracle cache an execution plan...
> >>
> >> Forgive me if I'm wrong, but:
> >>
> >> Caching an execution plan for a prepared statement that is run only once
> >> in the script is just overhead, no?
> >>
> >> Or can it actually re-use the same cached statement from a different
> >> connection by some magical matching up of the context??? Doesn't seem like
> >> the kind of thing that would be workable, but what do I know?
> >>
> >> Now if you said "... allows the DB to cold-stop any SQL injection" you'd
> >> be 100% right. :-)
> >>
> >> So MikeP should really consider using prepared statements for that reason,
> >> as it lets the DB do the escaping.
> >>
> >> PS
> >> I think MikeP is saying he writes the code once and gets it working, then
> >> goes back and adds the escaping in later.  This is fine if you ALWAYS
> >> remember to do that, but in a frenzy to release under pressure... Bad Idea!
> >>
> >>
> >> --
> >> PHP General Mailing List (http://www.php.net/)
> >> To unsubscribe, visit: http://www.php.net/unsub.php
> >>
> >>
> > It is over head, but it caches the execution plan for multiple runs of the
> > script. So different users with different data will use the same cached
> > query on the database. Saving processing time. It also prevents SQL
> > injection on the fly because you are indicating what data type each place
> > holder will need to accept.
> >
> >
> > --
> > Kyle Terry | www.kyleterry.com
> >
> 
> To elaborate even further, the whole point of prepared statements and
> created an execution plan is to tell the database EXACTLY how the query
> should be run. Preventing a drop table or 1=1 being injected. MySQL will
> just look at it, laugh, and store it in the table or throw an error.
> 
> 
> -- 
> Kyle Terry | www.kyleterry.com
> 
> 
> 

See, I knew my computer was laughing at me... They all looked at me
funny, but I knew it was true!


Ash
www.ashleysheridan.co.uk

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux