Am 14.05.2012 16:50, schrieb Johan De Meersman: > ----- Original Message ----- >> From: "Govinda" <[email protected]> >> >> 1.) Is anyone *who knows what he is doing* still using >> mysql_real_escape_string()? Ever? > > I seem to vaguely remember someone showing me some code that would bypass > escaping; but I didn't really pay a lot of attention, to be honest :-) > > Personally I haven't used escapes in ages, for the simple reason that > prepared statements are just that much more convenient - and even if MySQL > doesn't do a lot with it for the time being, they also allow for some very > nifty in-server optimizations using cached query plans and similar nifties. > Using them is a good habit for three reasons: > 1) it makes you immune to SQL injections, at least as effectively as > escaping; > 2) if MySQL finally gets around to implementing an execution plan cache, > you'll start benefiting without having to lift a finger > 3) you won't need to learn new ways of working if you need to code on > different databases :-)
but what about the dramatical reduced query-cache hits i see in some peace of software switching to prepared statements? dbmail2 as example had around 300 sql-actions per second dbmail3 using prepared statements currently around 1000 per second i can not imagine any better performance in a php-script since it is stateless and you have to do the whole prepare in each request
signature.asc
Description: OpenPGP digital signature
