A know a lot of people that use prepared statements, for the placeholder binding alone. That is, they don't intend on issuing the same statement more than once, with different values. They simply feel using PS in this manner is more secure.
My understanding of MySQL's PS, is the SQL is sent as a single transmission, followed by one or more transmissions to send the values. So using PS for a single query is less efficient that using a plain query, which is done in a single transmission.
Do the security benefits PS offer out weigh the loss in efficiency? I don't think so, because I don't think it's that hard to properly escape values before adding them to your SQL.
What are your thoughts?
A prepared statement is compiled and stored on the DBMS. These statements may be cached and reused.
Imagine the benefits when hitting the same page multiple times.
Further, some database engines (Oracle for example) may impose a hard statement limit and trust me (I know from experience), you do not want to exhaust this.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With