Stephen Clouse writes:
>
> You should be using placeholders either way, if only to spare yourself from the
> pain of proper quoting when interpolating variables into SQL statements, and in
> the case of CGI and other similar programs, to spare yourself from SQL variable
> interpolation attacks.
While I agree with this in general, it should be pointed out that for
Sybase (and possibly MS-SQL) servers the prepare with placeholder
involves some additional overhead over a straight SQL request (both in
terms of processing time and of resources on the server). It is
therefore usually preferable, when using a Sybase back-end, to avoid
?-style placeholders for requests that are only going to be called
once.
For Sybase and MS-SQL servers you can use stored procedures (that's
what SQL statements with ?-placeholders resolve to anyway) to avoid
SQL parsing and query plan optimization on each request.
With Sybase::CTlib you can call stored procs as RPC calls instead of
SQL language calls thus avoiding the SQL parsing altogether as well as
any interpolation attacks. I'm considering adding this capability to
DBD::Sybase, possibly as a $dbh->func() call.
Michael
--
Michael Peppler - Data Migrations Inc. - [EMAIL PROTECTED]
http://www.mbay.net/~mpeppler - [EMAIL PROTECTED]
International Sybase User Group - http://www.isug.com
Sybase on Linux mailing list: [EMAIL PROTECTED]
