On 4 November 2010 08:19, Shreyas Agasthya <shreyasbr@xxxxxxxxx> wrote: > Tamara, > > In one of the earlier threads, it was mentioned mysqli APIs are more secure, > faster, and actually maintained. > > Also, if you use some of the mysql_xxx(), you actually get a warning saying > that it will be or it is being deprecated and paves the way for you to > approach the same thing with mysqli_xxx(). > > The seniors perhaps can give you more facts which they have seen and > experienced. > > Regards, > Shreyas > > On Thu, Nov 4, 2010 at 1:18 PM, Tamara Temple <tamara@xxxxxxxxxxxxxxxx>wrote: > >> I'm wondering what the advantages/disadvantage of using prepared statements >> with mysqli are. I'm used to using the mysqli::query and mysqli::fetch_assoc >> functions to deal with retrieving data and bulding my sql statement in php >> code. >> >> Tamara Temple >> Â Â Â Â-- aka tamouse__ >> tamara@xxxxxxxxxxxxxxxx >> >> >> "May you never see a stranger's face in the mirror." >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> > > > -- > Regards, > Shreyas Agasthya > I don't use mysql, I use MS SQL, but the principles are pretty much the same. A prepared statement allows the SQL server to work out what needs to be done prior to actually doing it. The server essentially compiles the SQL statement and provides places for you to put in type appropriate values. A prepared statement can be executed repeatedly with different data, without the need of the SQL server having to recompile the query. Due to the SQL server knowing the column types you are using when you are going to supply data to the query, the data types are managed for you. Hmm, I've not explained that very well. Basically, a prepared statement is a lot harder to get SQL injection code working. Normally SQL will handle a string as a string and not as part of the SQL statement. So a password of "' or 1" will be treated as that and NOT as an or statement on a where clause (assuming a simple SQL injection). http://en.wikipedia.org/wiki/Prepared_statements#Parameterized_statements covers this sort of stuff. Now, taking this one stage further. If you have a query in your PHP code, which you are going to be executing a lot, even if you are using prepared statements, you can go one further by creating a stored procedure. Now the SQL server will only ever need to compile the statement once. No matter how many times it is used. You only need to supply the data which will be type appropriate. -- Richard Quadling Twitter : EE : Zend @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
