On 15/07/2020 10:25, Gernot Hassenpflug wrote:
From what I remember reading, the prepare statement is separated from
the query, so no injections possible. The statement is prepared on the
server, so similar queries using the same prepare can be executed very
efficiently.
Prepare has to happen before any execute to link the parameters to the
place holders. Where it becomes more productive is if you have a list of
data that you want to upload, such as the lines of an order. You simply
prepare the query and then loop through the list running the prepared
query with each new set of parameters. If you only need to run the same
query once then there is little point manually preparing the query, and
just allow it to automatically prepare and execute. The security aspect
here is the use of place holders in the query rather than prepare doing
anything special. Without the place holders, text can be added to the
query potentially 'injecting' extra SQL, while the prepared query would
use the 'injected' text as the value to insert into that place holder.
On my systems we tend to get faults due to the text being too long for
the underlying field, so one still needs to handle a level of testing on
the data used as a parameter ... although at least things you may not
have considered will be safer.
--
Lester Caine - G8HFL
-----------------------------
Contact - https://lsces.uk/wiki/Contact
L.S.Caine Electronic Services - https://lsces.uk
Model Engineers Digital Workshop - https://medw.uk
Rainbow Digital Media - https://rainbowdigitalmedia.uk
