On Sun, 21 Mar 2004 18:39:39 -0800, Chris Shiflett wrote:
>
> Can you explain that (and defend it)?
>
The reason is security. A prepared statement cannot comprimize the
security of our database because all sql-statements are precompiled in the
DBMS. An example using pear:
$res = & DB:connect('mysql://someuser:[EMAIL PROTECTED]/thedb');
$sth = $res->prepare('select * from sometable where id > ?');
$sth->execute(10);
As the example demonstrates the request is hardcoded which means it cannot
be manipulated by any user supplied input. A beneficial side effect is
that all characters which need exscaping is automatically handled by the
DBMS. E.g the string O'leary would not cause any problems.
Another argument is, that it theoretically should run faster.
--
Hilsen/Regards
Michael Rasmussen
--------------------------------------------------------------
Be careful! Is it classified?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
