On Wed, 2009-01-14 at 10:11 -0800, Kyle Terry wrote: > On Wed, Jan 14, 2009 at 10:07 AM, Kyle Terry <kyle@xxxxxxxxxxxxx> wrote: > > > > > > > On Wed, Jan 14, 2009 at 9:11 AM, <ceo@xxxxxxxxx> wrote: > > > >> > >> > Doesn't anybody use prepared statements these days? It even helps MySQL > >> > AND Oracle cache an execution plan... > >> > >> Forgive me if I'm wrong, but: > >> > >> Caching an execution plan for a prepared statement that is run only once > >> in the script is just overhead, no? > >> > >> Or can it actually re-use the same cached statement from a different > >> connection by some magical matching up of the context??? Doesn't seem like > >> the kind of thing that would be workable, but what do I know? > >> > >> Now if you said "... allows the DB to cold-stop any SQL injection" you'd > >> be 100% right. :-) > >> > >> So MikeP should really consider using prepared statements for that reason, > >> as it lets the DB do the escaping. > >> > >> PS > >> I think MikeP is saying he writes the code once and gets it working, then > >> goes back and adds the escaping in later. This is fine if you ALWAYS > >> remember to do that, but in a frenzy to release under pressure... Bad Idea! > >> > >> > >> -- > >> PHP General Mailing List (http://www.php.net/) > >> To unsubscribe, visit: http://www.php.net/unsub.php > >> > >> > > It is over head, but it caches the execution plan for multiple runs of the > > script. So different users with different data will use the same cached > > query on the database. Saving processing time. It also prevents SQL > > injection on the fly because you are indicating what data type each place > > holder will need to accept. > > > > > > -- > > Kyle Terry | www.kyleterry.com > > > > To elaborate even further, the whole point of prepared statements and > created an execution plan is to tell the database EXACTLY how the query > should be run. Preventing a drop table or 1=1 being injected. MySQL will > just look at it, laugh, and store it in the table or throw an error. > > > -- > Kyle Terry | www.kyleterry.com > > > See, I knew my computer was laughing at me... They all looked at me funny, but I knew it was true! Ash www.ashleysheridan.co.uk
