On 4 November 2017 16:24:58 GMT+00:00, Stephen Reay <php-li...@koalephant.com> wrote: >So while most apps don't need to reuse the prepared statement they >benefit from the more bulletproof parameterization, IMO.
I think a lot of unnecessary confusion comes about because people say "prepared statements" when it would be clearer to talk about "parameterized statements". >Also - why does this need a new method? Can't it be an option to PDO >(eg like emulated prepared statements option) and similar to emulated >prepares (which wouldn't need to connect in the prepare() stage) it >just stores the query until you call exec($data) and then makes one >call to the DB server. This makes sense to me. In effect, there are (for drivers that support them) two independent options: - Prepare statement on server or send only when executed? - Parameterize statement on server or pass as full SQL statement? Preparing on the server without parameterizing on the server doesn't make much sense, so you end up with three modes: prepare, parameterize, or neither. "Emulated prepares" should really be called "parameterize on client" - there's nothing really to "prepare" until the data is provided to substitute in. Finally, there are occasional cases where the entire SQL is static code, in which case it makes no difference which parameterization mode you use, but there might still be cases for toggling "prepare on server". Regards, -- Rowan Collins [IMSoP] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
