On Wed, Apr 16, 2008 at 08:19:23PM -0700, Jade Rubick wrote: > Can someone explain why we need prepared statements?
With Oracle (and nsoracle), basically you don't. > I thought by using bind variables, we avoid the SQL parse time (at > least with Oracle, that's my understanding) if you're using the same > SQL but with different values in your bind variables. Correct, because the Oracle server caches the parsed SQL itself. The literal SQL query you send it becomes the key to the cache. Many Oracle docs and books tend to emphasize the use of bind variables for performance reasons. ArsDigita and OpenACS, on the other hand, tended to emphasize bind variables for correctness and safety reasons, perhaps because Oracle's SQL parsing is fast enough that they never noticed much need for any extra speed! ACS had no bind variable support at all until version 3.4 or so, which was probably c. 2000. (ACS 3.2 definitely did not have it.) In the years before that, lots of sites got built with no bind variables at all, and some of those were very large and busy. (I was there for the ArsDigita company-wide fire drill to add use of bind variables and other security-enhancing measures, which I believe was kicked off because Guan Yang quietly demonstrated that several prominent ACS sites were at the time readily crackable via SQL smuggling.) -- Andrew Piskorski <[EMAIL PROTECTED]> http://www.piskorski.com/ -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
