Cardale Posted July 17, 2010 Share Posted July 17, 2010 How many queries should I limit myself to preparing? Is there any overhead I should be worried about? Do the prepared queries only stay "prepared" for one session or does it stay prepared as long as the server hasn't restarted? Quote Link to comment https://forums.phpfreaks.com/topic/208054-prepared-queries-recommendation/ Share on other sites More sharing options...
Mchl Posted July 17, 2010 Share Posted July 17, 2010 They stay prepared for one connection. Here's some good read: http://www.mysqlperformanceblog.com/2006/08/02/mysql-prepared-statements/ Quote Link to comment https://forums.phpfreaks.com/topic/208054-prepared-queries-recommendation/#findComment-1087577 Share on other sites More sharing options...
Cardale Posted July 17, 2010 Author Share Posted July 17, 2010 ahh...whats the point of that then? Is there any way to have it stay prepared for all user sessions? It is like loading program resources into memory much faster. Quote Link to comment https://forums.phpfreaks.com/topic/208054-prepared-queries-recommendation/#findComment-1087578 Share on other sites More sharing options...
Mchl Posted July 17, 2010 Share Posted July 17, 2010 You can create stored procedures/functions which pretty much have the same advantages. The main point of prepared statements in web application is to avoid SQL injections. For desktop type application they can also bring some performance benefit. Quote Link to comment https://forums.phpfreaks.com/topic/208054-prepared-queries-recommendation/#findComment-1087579 Share on other sites More sharing options...
Cardale Posted July 18, 2010 Author Share Posted July 18, 2010 I see. This prevents all forms of injection? Quote Link to comment https://forums.phpfreaks.com/topic/208054-prepared-queries-recommendation/#findComment-1087633 Share on other sites More sharing options...
Mchl Posted July 18, 2010 Share Posted July 18, 2010 If used properly it does. Quote Link to comment https://forums.phpfreaks.com/topic/208054-prepared-queries-recommendation/#findComment-1087690 Share on other sites More sharing options...
Daniel0 Posted July 18, 2010 Share Posted July 18, 2010 You can create stored procedures/functions which pretty much have the same advantages. Stored procedures don't protect you from SQL injections. Quote Link to comment https://forums.phpfreaks.com/topic/208054-prepared-queries-recommendation/#findComment-1087710 Share on other sites More sharing options...
Mchl Posted July 18, 2010 Share Posted July 18, 2010 How so? The SQL is precompiled so the queries can't be broken. Quote Link to comment https://forums.phpfreaks.com/topic/208054-prepared-queries-recommendation/#findComment-1087713 Share on other sites More sharing options...
Daniel0 Posted July 18, 2010 Share Posted July 18, 2010 How so? The SQL is precompiled so the queries can't be broken. You still have the problem of passing the procedure call to the database server along with the user input, and if you generate a query by concatenating strings in the stored procedure, you are back to the original problem. A quick search on Google and some MS SQL stuff: http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/ Quote Link to comment https://forums.phpfreaks.com/topic/208054-prepared-queries-recommendation/#findComment-1087720 Share on other sites More sharing options...
Mchl Posted July 18, 2010 Share Posted July 18, 2010 Yeah that's true. But that's the problem with any dynamically created SQL, and you can't actually get rid of it (unless we get mysql_call() function sometime) Quote Link to comment https://forums.phpfreaks.com/topic/208054-prepared-queries-recommendation/#findComment-1087721 Share on other sites More sharing options...
Daniel0 Posted July 18, 2010 Share Posted July 18, 2010 $stmt = $db->prepare('CALL getUser(?)'); $stmt->execute(array($_GET['username'])); Quote Link to comment https://forums.phpfreaks.com/topic/208054-prepared-queries-recommendation/#findComment-1087723 Share on other sites More sharing options...
Mchl Posted July 18, 2010 Share Posted July 18, 2010 Hah, nifty Quote Link to comment https://forums.phpfreaks.com/topic/208054-prepared-queries-recommendation/#findComment-1087724 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.