This brings up an interesting point. Many people slam prepared statements for being slow for non-repetitive querys. However, if you need to make multiple trips to the database engine and back to escape a handful of parameters, I wonder which method is actually faster -- especially if your DB is on a different server. Simply climbing up and down the TCP/IP stack burns a lot of cycles, unless you happen to have one of the TOEs that I have written about (TCP/IP offload/acceleration engine). I recall seeing a performance comparison somewhere, but it's location escapes me -- no pun intended.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Krings Sent: Tuesday, October 31, 2006 7:22 PM To: NYPHP Talk Subject: Re: [nyphp-talk] mysql_real_escape_string WAS: Mysql question! Hi, my guess is that some of the characters escaped using the mysql escaping cannot be reasonably expected to come in from user input. Mysql_real_escape_string escapes all these: \x00, \n, \r, \, ', " and \x1a but I can't think of any way on how to get \x1a as user input (assuming that this is the hex value for an ASCII character). Even NULL is difficult, but not impossible. I guess that the "ultmately unecessary" looks at it from a viewpoint of what is possible assuming the user is the idiot and not the developer. It consumes a trip to the database engine and back, whereas addslashes doesn't. I don't know, my arguments are a bit thin and it may really just like that: "ultimately unecessary" as long as the string was addslashed. David K. Cliff Hirsch wrote: > I just read the same thing in Cal's book and was going to ask the group > about this. While prepared statements sound nice in theory, there are > many of us that still hack together "old-fashioned" queries. And what > does "ultimately unnecessary" mean anyway? Consumes more mips than its > worth? _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
