Prepared statement for MySQL 4.1
I've read the article about 'prepared statement' found in MySQL 4.1, and am not sure if I understood what 'prepared statement' does and how can it benefit us. Can anyone elaborate on what 'prepared statement' could do with examples where possible? Thanks, The Newbie Scott -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Prepared statement for MySQL 4.1
Hello. As said at documentation: Prepared execution is an efficient way to execute a statement more than once. Good examples you can find in documentation to MySQL, and in tests/client_test.c. Scott Hamm [EMAIL PROTECTED] wrote: I've read the article about 'prepared statement' found in MySQL 4.1, and am not sure if I understood what 'prepared statement' does and how can it benefit us. Can anyone elaborate on what 'prepared statement' could do with examples where possible? Thanks, The Newbie Scott -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Prepared statement for MySQL 4.1
Scott, http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html regards, Mark. On Thu, 2004-11-11 at 15:38, Scott Hamm wrote: I've read the article about 'prepared statement' found in MySQL 4.1, and am not sure if I understood what 'prepared statement' does and how can it benefit us. Can anyone elaborate on what 'prepared statement' could do with examples where possible? Thanks, The Newbie Scott -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Prepared statement for MySQL 4.1
*THAT* one was what I already ready and could not understand it since English isn't my first language. -Original Message- From: Mark Maunder [mailto:[EMAIL PROTECTED] Sent: Thursday, November 11, 2004 12:45 PM To: Scott Hamm Cc: 'Mysql ' (E-mail) Subject: Re: Prepared statement for MySQL 4.1 Scott, http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html regards, Mark. On Thu, 2004-11-11 at 15:38, Scott Hamm wrote: I've read the article about 'prepared statement' found in MySQL 4.1, and am not sure if I understood what 'prepared statement' does and how can it benefit us. Can anyone elaborate on what 'prepared statement' could do with examples where possible? Thanks, The Newbie Scott -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: Prepared statement for MySQL 4.1
Scott,
I've read the article about 'prepared statement' found in MySQL 4.1, and am
not sure if I understood what 'prepared statement' does and how can it
benefit us. Can anyone elaborate on what 'prepared statement' could do with
examples where possible?
In the simplest case, consider this:
You have an application (say a webpage), which receives user input (say
a submitted form) which contain an e-mail address that you want to
insert into a database. Let's say you have this form field in a variable
called $email:
Inserting:
$dbh-do(INSERT INTO mytable (email) VALUES ('$email'));
Now if you do not verify what is in $email, and the user passes you this
: notavalidemail@'adress
you can run into trouble, as the above statement will parse to
INSERT INTO mytable (email) VALUES ('notavalidemail@'adress)
which is not good, it produces an SQL error because of the extra '
character. You can run into more serious trouble if you get something
more SQL-like from your form, say DELETE FROM mytable or something
like that ;-)
Using placeholders take care of quoting, that is, the SQL statement will
always be valid, at the data will no longer be part of the query. This:
$dbh-do(INSERT INTO mytable (email) VALUES (?), undef, $email);
...will insert $email into the table without a runtime error (well, it
is probably not what you want, as you will have an invalid e-mail
address, but it is still better compared to letting others execute SQL
commands on your machine...)
This thing by itself should be enough for anyone NOT to use
non-prepared statements (like many badly written PHP scripts do). But
there are more things... well, read the article once again, or wait for
another e-mail on speed benefits :-)
Regards,
- Csongor
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: Prepared statement for MySQL 4.1
Re speed benefits
There aren't any - at least not through the C API. It's at least twice as
slow as writing embedded statements and parsing every time. I'm waiting for
them to announce they've fixed it before we consider this route again.
Kevin Cowley
RD
Tel: 0118 902 9099 (direct line)
Email: [EMAIL PROTECTED]
Web: http://www.alchemetrics.co.uk
-Original Message-
From: Fagyal Csongor [mailto:[EMAIL PROTECTED]
Sent: 11 November 2004 18:10
To: 'Mysql ' (E-mail)
Subject: Re: Prepared statement for MySQL 4.1
Scott,
I've read the article about 'prepared statement' found in MySQL 4.1, and
am
not sure if I understood what 'prepared statement' does and how can it
benefit us. Can anyone elaborate on what 'prepared statement' could do
with
examples where possible?
In the simplest case, consider this:
You have an application (say a webpage), which receives user input (say
a submitted form) which contain an e-mail address that you want to
insert into a database. Let's say you have this form field in a variable
called $email:
Inserting:
$dbh-do(INSERT INTO mytable (email) VALUES ('$email'));
Now if you do not verify what is in $email, and the user passes you this
: notavalidemail@'adress
you can run into trouble, as the above statement will parse to
INSERT INTO mytable (email) VALUES ('notavalidemail@'adress)
which is not good, it produces an SQL error because of the extra '
character. You can run into more serious trouble if you get something
more SQL-like from your form, say DELETE FROM mytable or something
like that ;-)
Using placeholders take care of quoting, that is, the SQL statement will
always be valid, at the data will no longer be part of the query. This:
$dbh-do(INSERT INTO mytable (email) VALUES (?), undef, $email);
...will insert $email into the table without a runtime error (well, it
is probably not what you want, as you will have an invalid e-mail
address, but it is still better compared to letting others execute SQL
commands on your machine...)
This thing by itself should be enough for anyone NOT to use
non-prepared statements (like many badly written PHP scripts do). But
there are more things... well, read the article once again, or wait for
another e-mail on speed benefits :-)
Regards,
- Csongor
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:
http://lists.mysql.com/[EMAIL PROTECTED]
**
ALCHEMETRICS LIMITED (ALCHEMETRICS)
Mulberry Park, Fishponds Road, Wokingham, Berkshire, RG41 2GX
Tel: +44 (0) 118 902 9000Fax: +44 (0) 118 902 9001
This e-mail is confidential and is intended for the use of the addressee only.
If you are not the intended recipient, you are hereby notified that you must
not use, copy, disclose, otherwise disseminate or take any action based on
this e-mail or any information herein.
If you receive this transmission in error, please notify the sender
immediately by reply e-mail or by using the contact details above and then
delete this e-mail.
Please note that e-mail may be susceptible to data corruption, interception
and unauthorised amendment. Alchemetrics does not accept any liability for
any such corruption, interception, amendment or the consequences thereof.
**
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
