----- Original Message -----
> From: "Govinda" <govinda.webdnatalk@stripped>
>
> 1.) Is anyone *who knows what he is doing* still using
> mysql_real_escape_string()? Ever?
I seem to vaguely remember someone showing me some code that would bypass escaping; but I
didn't really pay a lot of attention, to be honest :-)
Personally I haven't used escapes in ages, for the simple reason that prepared statements
are just that much more convenient - and even if MySQL doesn't do a lot with it for the
time being, they also allow for some very nifty in-server optimizations using cached
query plans and similar nifties. Using them is a good habit for three reasons:
1) it makes you immune to SQL injections, at least as effectively as escaping;
2) if MySQL finally gets around to implementing an execution plan cache, you'll start
benefiting without having to lift a finger
3) you won't need to learn new ways of working if you need to code on different databases
:-)
--
Bier met grenadyn
Is als mosterd by den wyn
Sy die't drinkt, is eene kwezel
Hy die't drinkt, is ras een ezel
