On 27/02/2021 14:03, Pierre wrote:
I'm curious, why are you stating that emulated prepares are not useful anymore ?
Emulated prepares are a slightly dangerous idea, because they give the impression of separating query from data, but actually use string escaping internally. Historically, I believe there were previously scenarios where real prepared queries were not available, which no longer apply.
Using the prepare() function as I remember correctly seems to be the only way to execute a query that allows you to pass an array of parameters instead of having to call PDOStatement::bindParam() for each parameter.
Regardless of whether you use emulated or real prepares, the PDOStatement's execute method can be called with an array of parameters, and as far as I know always could.
That's the only reason I use emulated prepares anyway, it allows to use this API without actually preparing the queries, which is what I want most of the time.
This is a slightly different point: when running a query once, it seems to currently require two database round trips: one to prepare, and one to execute. I don't know what the underlying drivers support here, but it would be useful to have a method on the PDO object itself that let you provide a parameterised string and its data in one go. That would be safer than using emulated prepares, and (hopefully) more efficient than using real prepares.
Regards, -- Rowan Tommins [IMSoP] -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
