garaged wrote:
Prepared query handlers do the correct quotations for you, if they
don't then it should not be called a prepared query. Prepared queries
to type checking, cache the base query, and other goodies along with
proper escaping/quoting. This is why you would use prepared queries,
so you don't have to worry about escaping user input for fear of
injection exploits.
Do you think is cleaner or easy to understand to do prepared queries
vs correct quotation??
You have to remember exactly the correct sequence of parameters for
every query. I'm not that good with memory, but I migth be one in a
million.
Thats why I mentioned that MDB2 supports the oracle style :name prepared
statements. Then you do not have to remember the order and you can
directly reference things by their name:
See my slides on database abstraction in MDB2 and PDO for details:
http://www.backendmedia.com/MDB2/database_abstraction.pdf
regards,
Lukas
