Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are there downsides to using prepared statements?

I've been reading a lot about prepared statements and in everything I've read, no one talks about the downsides of using them. Therefore, I'm wondering if there are any "there be dragons" spots that people tend to overlook?

like image 655
Scott Avatar asked Sep 01 '09 15:09

Scott


People also ask

What is the disadvantage of PreparedStatement?

Following are the limitations of prepared statements: Since a PreparedStatement object represents only one SQL statement at a time, we can execute only one statement by one prepared statement object. To prevent injection attacks it does not allow more than one value to a place holder.

When should prepared statements not be used?

It is easy: If you know the string comes from your application and cannot be manipulated by a user, then there is no need for prepared statements, because there is nothing to inject. If you are not sure (bad, but in greater projects not avoidable) use prepared statement.

Should I always use prepared statements?

You should always prefer working with prepared statements for the security benefits. They all but eliminate vulnerability to SQL injection, without you having to worry about SQL-escaping values. If you have a query that doesn't run often, though (less than once per request), a prepared statement can take longer to run.

Are prepared statements Safe?

What are Prepared Statements? A prepared statement is a parameterized and reusable SQL query which forces the developer to write the SQL command and the user-provided data separately. The SQL command is executed safely, preventing SQL Injection vulnerabilities.


5 Answers

Prepared statement is just a parsed and precompiled SQL statement which just waits for the bound variables to be provided to be executed.

Any executed statement becomes prepared sooner or later (it need to be parsed, optimized, compiled and then executed).

A prepared statement just reuses the results of parsing, optimization and compilation.

Usually database systems use some kind of optimization to save some time on query preparation even if you don't use prepared queries yourself.

Oracle, for instance, when parsing a query first checks the library cache, and if the same statement had already been parsed, it uses the cached execution plan instead.

like image 184
Quassnoi Avatar answered Oct 23 '22 00:10

Quassnoi


If you use a statement only once, or if you automatically generate dynamic sql statements (and either properly escape everythin or know for certain your parameters have only safe characters) then you should not use prepared statements.

like image 45
flybywire Avatar answered Oct 23 '22 00:10

flybywire


There is one other small issue with prepared statements vs dynamic sql, and that is that it can be harder to debug them. With dynamic sql, you can always just write out a problem query to a log file and run it directly on the server exactly as your program sees it. With prepared statements it can take a little more work to test your query with a specific set of parameters determined from crash data. But not that much more, and the extra security definitely justifies the cost.

like image 33
Joel Coehoorn Avatar answered Oct 23 '22 00:10

Joel Coehoorn


in some situations, the database engine might come up with an inferior query plan when using a prepared statement (because it can't make the right assumptions without having the actual bind values for a search).

see e.g. the "Notes" section at

http://www.postgresql.org/docs/current/static/sql-prepare.html

so it might be worth testing your queries with and without preparing statements to find out which is faster. ideally, you would then decide on a per-statement basis whether to use prepared statements or not, although not all ORMs will allow you to do that.

like image 40
pmeidl Avatar answered Oct 22 '22 23:10

pmeidl


The only downside that I can think of is that they take up memory on the server. It's not much, but there are probably some edge cases where it would be a problem but I'm hard pressed to think of any.

like image 26
Adam Ruth Avatar answered Oct 23 '22 00:10

Adam Ruth