On 4 November 2010 10:42, Richard Quadling <rquadling@xxxxxxxxx> wrote: > On 4 November 2010 08:19, Shreyas Agasthya <shreyasbr@xxxxxxxxx> wrote: >> Tamara, >> >> In one of the earlier threads, it was mentioned mysqli APIs are more secure, >> faster, and actually maintained. >> >> Also, if you use some of the mysql_xxx(), you actually get a warning saying >> that it will be or it is being deprecated and paves the way for you to >> approach the same thing with mysqli_xxx(). >> >> The seniors perhaps can give you more facts which they have seen and >> experienced. >> >> Regards, >> Shreyas >> >> On Thu, Nov 4, 2010 at 1:18 PM, Tamara Temple <tamara@xxxxxxxxxxxxxxxx>wrote: >> >>> I'm wondering what the advantages/disadvantage of using prepared statements >>> with mysqli are. I'm used to using the mysqli::query and mysqli::fetch_assoc >>> functions to deal with retrieving data and bulding my sql statement in php >>> code. >>> >>> Tamara Temple >>> Â Â Â Â-- aka tamouse__ >>> tamara@xxxxxxxxxxxxxxxx >>> >>> >>> "May you never see a stranger's face in the mirror." >>> >>> >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >> >> >> -- >> Regards, >> Shreyas Agasthya >> > > I don't use mysql, I use MS SQL, but the principles are pretty much the same. > > A prepared statement allows the SQL server to work out what needs to > be done prior to actually doing it. The server essentially compiles > the SQL statement and provides places for you to put in type > appropriate values. > > A prepared statement can be executed repeatedly with different data, > without the need of the SQL server having to recompile the query. > > Due to the SQL server knowing the column types you are using when you > are going to supply data to the query, the data types are managed for > you. Hmm, I've not explained that very well. Basically, a prepared > statement is a lot harder to get SQL injection code working. > > Normally SQL will handle a string as a string and not as part of the > SQL statement. So a password of "' or 1" will be treated as that and > NOT as an or statement on a where clause (assuming a simple SQL > injection). > > http://en.wikipedia.org/wiki/Prepared_statements#Parameterized_statements > covers this sort of stuff. > > Now, taking this one stage further. > > If you have a query in your PHP code, which you are going to be > executing a lot, even if you are using prepared statements, you can go > one further by creating a stored procedure. Now the SQL server will > only ever need to compile the statement once. No matter how many times > it is used. You only need to supply the data which will be type > appropriate. > > > > -- > Richard Quadling > Twitter : EE : Zend > @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY > And why this sort of thing should be taught at school ... http://xkcd.com/327/ -- Richard Quadling Twitter : EE : Zend @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
