On Fri, Jun 17, 2011 at 4:55 AM, Vitalii Demianets
<vi...@nppfactor.kiev.ua> wrote:
> On Friday 17 June 2011 04:50:00 Daevid Vincent wrote:
>> > I've seen too many people over the years try and rally against common
>> > sense practices like using prepared statements for perhaps a marginal
>> > gain of performance on one page while their load averages are 0,0,0.
>> Agreed. The ONLY time prepared statements are useful, is in a loop where
>> you're changing a few variables but within the same SQL statement. That is
>> a rare case for most people.
> Not ONLY. I love prepared statements because with them I can store arbitrary
> strings in DB without need to worry about fancy escaping and SQL injection.
> And do it in DB-independent way.
> Think about all that extra escaping and performance gain of not using prepared
> statement will shrink a lot ) Don't have actual numbers though.
> --
> Vitalii
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

You can implement caching at so many levels of the app that using a
prepared statement should be at the lower spectrum of your worries.
It is too easy to forget calling escape whether it be for a DB or
output to the browser as proven by all the various bug trackers and
hacked websites across the net.

Just to drive this point home, if you do a quick search on Secunia for
'SQL Injection' [1] you get 4,158 advisories.  Worth the risk?


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to