On 4 November 2010 08:19, Shreyas Agasthya <shreya...@gmail.com> wrote:
> Tamara,
> In one of the earlier threads, it was mentioned mysqli APIs are more secure,
> faster, and actually maintained.
> Also, if you use some of the mysql_xxx(), you actually get a warning saying
> that it will be or it is being deprecated and paves the way for you to
> approach the same thing with mysqli_xxx().
> The seniors perhaps can give you more facts which they have seen and
> experienced.
> Regards,
> Shreyas
> On Thu, Nov 4, 2010 at 1:18 PM, Tamara Temple <tam...@tamaratemple.com>wrote:
>> I'm wondering what the advantages/disadvantage of using prepared statements
>> with mysqli are. I'm used to using the mysqli::query and mysqli::fetch_assoc
>> functions to deal with retrieving data and bulding my sql statement in php
>> code.
>> Tamara Temple
>>        -- aka tamouse__
>> tam...@tamaratemple.com
>> "May you never see a stranger's face in the mirror."
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
> --
> Regards,
> Shreyas Agasthya

I don't use mysql, I use MS SQL, but the principles are pretty much the same.

A prepared statement allows the SQL server to work out what needs to
be done prior to actually doing it. The server essentially compiles
the SQL statement and provides places for you to put in type
appropriate values.

A prepared statement can be executed repeatedly with different data,
without the need of the SQL server having to recompile the query.

Due to the SQL server knowing the column types you are using when you
are going to supply data to the query, the data types are managed for
you. Hmm, I've not explained that very well. Basically, a prepared
statement is a lot harder to get SQL injection code working.

Normally SQL will handle a string as a string and not as part of the
SQL statement. So a password of "' or 1" will be treated as that and
NOT as an or statement on a where clause (assuming a simple SQL

covers this sort of stuff.

Now, taking this one stage further.

If you have a query in your PHP code, which you are going to be
executing a lot, even if you are using prepared statements, you can go
one further by creating a stored procedure. Now the SQL server will
only ever need to compile the statement once. No matter how many times
it is used. You only need to supply the data which will be type

Richard Quadling
Twitter : EE : Zend
@RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to