Robert Cummings skrev:
I sincerely question the competence of someone who advocates a one size
fits all approach to programming. There are many reasons why a developer
may work with the old-school interface calls. For instance they may be
supporting an old school application. They might be writing their own
abstract layer. They might be optimizing an extremely loaded system
whereby explicitly using the API calls improves speed. Prepared
statements only improve speed when making multiple queries to the
database having the same format. They slow things down when making
unique queries. Any developer worth his salt doesn't need prepared
statements to improve security, and assuming prepared statements will
protect you is silly since they cannot protect against everything. A
professional knows when to use any given approach given the environment
and requirements.
Cheers,
Rob.
So I was perhaps a bit inflammatory in my post. But I do not see myself
completely rebutted.
1. Maintaining legacy apps does not fall under the categories I was
referring to. If you are bound by legacy constraints it is another ballgame.
2. In a short mail like this one there is not room to expand every
minute detail. I do realise that PDO is not the best way to go for every
app. But in saying that prepared statements is a really good way to
protect against SQL-injection, I'm just echoing Ilia Alshanetsky
(spelling?) and a few other rather renowned security experts. Of course
one should always have a "defense in depth", though.
3. Speed loss from prepared statements are usually negligible even for a
single query. There are tests published on the net. And if one wants
speed, one should probably consider a caching layer between PHP and ones
DBMS. The OO-model in PHP 5 would make such multi tiered apps simpler to
develop as well.
The question PHP 4 or PHP 5: If you stay with 4 you are bound to a one
size fits all solution. In PHP 5 you can use DB-specific drivers or PDO
or a PHP-based abstraction layer. That's *more* choice, not less!
To summarize: With PDO or mysqli I can use both old school SQL and
prepared statements, in PHP 4 there are fewer options! My case for PHP 5
stands intact.
And finally: With each new release of PHP we can expect improvements in
PDO, making it a more future safe alternative.
Lars Gunther
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
