> A quick google search for 'sql injection prepared statements' found
> those 2 statements (1 is a security article) very quickly.
> ...And frankly, its not the manual's job to tell you how to
> write secure code. So, this has to be coming from people.
>
Yes but a php security portal that reference all information (link, and or
article) on each security subject by the community (community portal)...
> Are you saying that filling a variable into a string is slower than
> calling a function with an array to generate a sql statement? I don't
> think so. If you know of such a variable binding library in PHP, please
> hook me up. I will start using it tomorrow.
>
Ok some sgbd optimisation explain...
if you presente different sql strings with different value in condition close,
the sql analyser can not be abel to cache the excution plant in sql area
cache... and when your have very heavy loaded site that load massively a sgbd
with sql request... they make enormous difference in perfomance... if you bind
variable... in that way because the analyser know where is variante in the
request and can be abel to not store the variante in his prepare statement
cache...
sample:
select field1 from tablename where field1=5;
select field1 from tablename where field1=6;
select field1 from tablename where field1=7;
All this request execution plant are stored in sql cache...
If you have million request a day... the cache are completly eneffective...
And with:
million requests "select field1 from tablename where field1=?;"
with different bind value in "?" are store once in execution prepare cache...
the execution plan is the sgbd analyse to find the most efficient walk plan
through the table index...to find the good index to walk the table...
and this analyse is very cpu intensive... is why is interessant to cache it...
ok all sgbd not work in the same way of optimisation... some can be abel to
understand that is the same request (and where is variant)... but a the cost of
more cpu...
and all sgbd that that have bind systeme can benefit from binding
optimisation... because you help the analyser to understand who is variant and
who not...
and in addintion you have less risk of sql injection...
is more funy no ? :)
> And, as you said, variable binding has only been used in PHP with
> prepared statements. Unless you reuse a statement, you loose
> performance every time you prepare a statement.
No beceause moderne sgbd has sql statement cache and reuse the execution
plant... in condition of using bind variable...
Without bind variable you lose effectively performance...but you loose perf not
in prepare statment (without prepare statement the sql engine make prepare
implicitly internaly...) but in the fact your request prepare execution plan
are not cached efficiently...
>
> So, IMO, there is no performance gain either with prepared
> statements/variable binding for normal, one time use queries.
>
I dont agree with that for the reason explain on my message.
Best regards,
Mathieu
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
