On Mon, Aug 4, 2008 at 11:35 AM, Larry Garfield <[EMAIL PROTECTED]> wrote: > > On Mon, 04 Aug 2008 08:33:44 +0200, Per Jessen <[EMAIL PROTECTED]> wrote: >> Larry Garfield wrote: >> >>> IIRC, the way in SQL to circumvent that is to convert "100%" into >>> "100%%". However, that does rather defeat the purpose of a prepared >>> statement if I have to do my own escaping anyway, does it not?=20 >> >> Depends on what you perceive the purpose of the prepared statement to >> be :-) In this context, I tend to think of performance only. Which is= >> >> generally why I can't be bothered with prepared statements in php.=20 > > Actually in most cases in PHP you don't get much performance. What you do > get is added security, because prepared statements are cleaner than cleaner > and more reliable than string escaping. Of course, then we run into the % > problem above. > > --Larry Garfield
True. I wish PDO would add an option of creating a parameterized query WITHOUT preparing it, at least for SQL Server. Why? There is overhead to creating the statement that way. I prefer using the "prepared statement" method as it decreases the exposure and risk to SQL injection. I'd like to see an option like the Microsoft ADO library so that I can prepare the statement if I will be running it several times with different parameter values each time, or choose not to incur the overhead if I'm only going to run a statement once. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
