On Sun, 21 Mar 2004 18:39:39 -0800, Chris Shiflett wrote: > > Can you explain that (and defend it)? > The reason is security. A prepared statement cannot comprimize the security of our database because all sql-statements are precompiled in the DBMS. An example using pear:
$res = & DB:connect('mysql://someuser:[EMAIL PROTECTED]/thedb'); $sth = $res->prepare('select * from sometable where id > ?'); $sth->execute(10); As the example demonstrates the request is hardcoded which means it cannot be manipulated by any user supplied input. A beneficial side effect is that all characters which need exscaping is automatically handled by the DBMS. E.g the string O'leary would not cause any problems. Another argument is, that it theoretically should run faster. -- Hilsen/Regards Michael Rasmussen -------------------------------------------------------------- Be careful! Is it classified? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php