Christopher A. Watford wrote:
Prepared query handlers do the correct quotations for you, if they
don't then it should not be called a prepared query. Prepared queries
to type checking, cache the base query, and other goodies along with
proper escaping/quoting. This is why you would use prepared queries,
so you don't have to worry about escaping user input for fear of
injection exploits.
Note that currently MDB2 only natively supports prepared queries in the
oci8, ibase and mysqli driver. I am planning on adding native prepared
query support for the pgsql driver eventually.
For all other drivers its emulated, including proper quoting of course.
As for caching prepared statements this is a tricky topic. PHP obviously
has to rely on the database to do this properly for now and for example
with pgsql you run into issues, because pgsql expects the middleware to
keep the handle to the prepared statement.
regards,
Lukas
