Le 27/02/2021 à 15:39, Rowan Tommins a écrit :
On 27/02/2021 14:03, Pierre wrote:
I'm curious, why are you stating that emulated prepares are not
useful anymore ?
Emulated prepares are a slightly dangerous idea, because they give the
impression of separating query from data, but actually use string
escaping internally. Historically, I believe there were previously
scenarios where real prepared queries were not available, which no
longer apply.
Yes I was aware of this, I do more explicit prepares when I really need
those, it doesn't happen quite often. I still do from time to time but
using the ext-pgsql extension. I don't use MySQL anymore since I
succeeded in freeing myself from Drupal :) Drupal uses emulate prepare
because it allows it set value placeholders in queries, which is very
convenient for their query builder.
Using the prepare() function as I remember correctly seems to be the
only way to execute a query that allows you to pass an array of
parameters instead of having to call PDOStatement::bindParam() for
each parameter.
Regardless of whether you use emulated or real prepares, the
PDOStatement's execute method can be called with an array of
parameters, and as far as I know always could.
Yes, but PDOStatement::execute() explicitly documents that it can be
used only for prepared queries. If that's true that means there is no
alternative for binding value params in a query than using it. I didn't
remember (long time I didn't use PDO when I wrote my first email) only
prepare() allows you to write value placeholders in queries. ext-pgsql
has the pg_query_params() for doing this, which is very convenient, PDO
can only do this using emulate prepare.
That's the only reason I use emulated prepares anyway, it allows to
use this API without actually preparing the queries, which is what I
want most of the time.
This is a slightly different point: when running a query once, it
seems to currently require two database round trips: one to prepare,
and one to execute. I don't know what the underlying drivers support
here, but it would be useful to have a method on the PDO object itself
that let you provide a parameterised string and its data in one go.
That would be safer than using emulated prepares, and (hopefully) more
efficient than using real prepares.
Regards,
I'm not sure it requires two round trips when you use prepare() along
with emulated prepare, at least I never noticed it (and I did profile by
observing SQL side logs more than once, for example one thing that do a
lot of roundtrips is the getColumnMeta() call). 2 roundtrips are
required if you really prepare the query.
Anyway, thank you very much for answering. It's sad PDO doesn't have a
pg_query_params() equivalent method, most people would stop using
prepare() if that was the case.
Regards,
--
Pierre
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: https://www.php.net/unsub.php
