On Sat, Jan 11, 2014 at 2:59 PM, Jasper Kips <jasper@xxxxxxxxxxxxx> wrote: > > Sincerely, > > Jasper Kips > > .... > > And of course, it is almost mandatory to use prepared statements. > Especially if the source of the data is the internet. > Here here! So, I do not mean to get on a soap box and shout the glories of a preferred library (ok, yeah I guess I do- why lie). Robert, you did not mention what your skill level is but my best advice regarding php/mysql development, besides getting into the habit of always using prepared statements, is to learn php's PDO library. People tend to have their favorites (for instance- my current company uses mysqli. In fact, the previous lead developer before me had a policy of only using mysqli). PDO has a very clean prepared statement system including named parameters which not only guards against potential sql-injections (please google search it if you are not familiar with the concept- very important to know), it also makes constructing complex but parameterizable queries much much easier. If you ever do development against a normalized data warehouse for instance, you will likely have to do queries involving a bunch of joins, unions, etc... You can still accomplish that with placeholders (for instance, my example in a previous email) but you have to keep track of argument ordering and such. Prepared statements also increase performance since they are compiled on the sql server side. If you have to execute the same query a bunch of times, you will noticed a big performance increase (I have stories I can tell about some perl scripts I wrote a few years ago). As a nice bonus, PDO supports 12 databases including mysql and Oracle, vs mysqli which to my knowledge only supports mysql. PDO is the first php/DB library I learned and I am very glad I did. Just a thought- bouncing off of Jasper's comment.
