On 1/12/07, Brian Moon <[EMAIL PROTECTED]> wrote:
The PHP manual nor the MySQL manual mentions sql injection when talking about prepared statements.
I don't think you've read the section on prepared statements in the PDO documentation, because it does mention it there, although it doesn't beat you over the head with the seriousness of the problem. http://us2.php.net/manual/en/ref.pdo.php#pdo.prepared-statements
And frankly, its not the manual's job to tell you how to write secure code. So, this has to be coming from people.
It's been a strong, recurring theme at conferences for the past couple of years. I'm not sure who else could be doing a better job at this.
And, as you said, variable binding has only been used in PHP with prepared statements. Unless you reuse a statement, you loose performance every time you prepare a statement. So, IMO, there is no performance gain either with prepared statements/variable binding for normal, one time use queries.
A good database doesn't have a performance cost here. Also note that you can instruct PDO to use emulation for drivers like mysql where the native prepared statements are sub-optimal. --Wez. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
