> And using prepare statement to pass variable by binding variable
> is simple good programming (and must be used with many other good
> practice...input check...)
> And effectively is the variable binding and not the prepare
> statement that add real security again sql injection...
> but actualy i've not seen sql variable binding without prepare
> statement...is why all speak about prepare statement and not
> variable binding...
I do not dispute that variable binding can help with some issues of sql
injection. But, it does not do as much as some would have you believe.
I have read statements like "Prepared statement are generally immune
to SQL Injection" and worst of all "I am using prepared statements to be
sure that my application are not vulnerable to sql injection attacks"
A quick google search for 'sql injection prepared statements' found
those 2 statements (1 is a security article) very quickly.
That is the message that users are getting about prepared statements.
Its simply not a good message. That is my point. The PHP manual nor
the MySQL manual mentions sql injection when talking about prepared
statements. And frankly, its not the manual's job to tell you how to
write secure code. So, this has to be coming from people.
And generating dynamic (and no variable binding) sql statement in
> general is not good for performance... because that add cpu and
> sgbd sql cache consuming...
Are you saying that filling a variable into a string is slower than
calling a function with an array to generate a sql statement? I don't
think so. If you know of such a variable binding library in PHP, please
hook me up. I will start using it tomorrow.
And, as you said, variable binding has only been used in PHP with
prepared statements. Unless you reuse a statement, you loose
performance every time you prepare a statement.
So, IMO, there is no performance gain either with prepared
statements/variable binding for normal, one time use queries.
--
Brian Moon
-------------
http://dealnews.com/
It's good to be cheap =)
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
