On Fri, Jun 17, 2011 at 4:55 AM, Vitalii Demianets <vitas@xxxxxxxxxxxxxxxxx> wrote: > On Friday 17 June 2011 04:50:00 Daevid Vincent wrote: >> > I've seen too many people over the years try and rally against common >> > sense practices like using prepared statements for perhaps a marginal >> > gain of performance on one page while their load averages are 0,0,0. >> >> Agreed. The ONLY time prepared statements are useful, is in a loop where >> you're changing a few variables but within the same SQL statement. That is >> a rare case for most people. >> > > Not ONLY. I love prepared statements because with them I can store arbitrary > strings in DB without need to worry about fancy escaping and SQL injection. > And do it in DB-independent way. > Think about all that extra escaping and performance gain of not using prepared > statement will shrink a lot ) Don't have actual numbers though. > > -- > Vitalii > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > You can implement caching at so many levels of the app that using a prepared statement should be at the lower spectrum of your worries. It is too easy to forget calling escape whether it be for a DB or output to the browser as proven by all the various bug trackers and hacked websites across the net. Just to drive this point home, if you do a quick search on Secunia for 'SQL Injection' [1] you get 4,158 advisories. Worth the risk? http://secunia.com/advisories/search/?search=sql+injection -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
