Am 14.05.2012 16:50, schrieb Johan De Meersman:
> ----- Original Message -----
>> From: "Govinda" <govinda.webdnatalk@stripped>
>>
>> 1.) Is anyone *who knows what he is doing* still using
>> mysql_real_escape_string()? Ever?
>
> I seem to vaguely remember someone showing me some code that would bypass escaping;
> but I didn't really pay a lot of attention, to be honest :-)
>
> Personally I haven't used escapes in ages, for the simple reason that prepared
> statements are just that much more convenient - and even if MySQL doesn't do a lot with it
> for the time being, they also allow for some very nifty in-server optimizations using
> cached query plans and similar nifties. Using them is a good habit for three reasons:
> 1) it makes you immune to SQL injections, at least as effectively as escaping;
> 2) if MySQL finally gets around to implementing an execution plan cache, you'll
> start benefiting without having to lift a finger
> 3) you won't need to learn new ways of working if you need to code on different
> databases :-)
but what about the dramatical reduced query-cache hits i see
in some peace of software switching to prepared statements?
dbmail2 as example had around 300 sql-actions per second
dbmail3 using prepared statements currently around 1000 per second
i can not imagine any better performance in a php-script since it
is stateless and you have to do the whole prepare in each request
Attachment: [application/pgp-signature] OpenPGP digital signature signature.asc
