On 8/19/07, Matthew Welland <[EMAIL PROTECTED]> wrote: > By the by I suspect that option 2. doesn't protect against SQL injection > threats to the same degree that option 1. does. Also, I believe that there > are optimizations that can be done with postional arguments for when a > query is called multiple times with different arguments. Can the sql egg > approach ever take advantage of those type of optimizations?
You're thinking of "prepared statements". Pass a query with positional arguments in it to your database engine; it parses and prepares an execution plan, returning a statement "handle". You can then reuse the prepared statement any number of times, without the parsing/planning overhead. It's effective protection against SQL injection, for the same reasons. That being said, it is outside the scope of the sql egg. A common DBI would be an appropriate place for a prepared-statement interface, but the actual preparation is done by the RDBMS. Graham _______________________________________________ Chicken-users mailing list Chicken-users@nongnu.org http://lists.nongnu.org/mailman/listinfo/chicken-users
