I see a lot of people saying you should always use prepared statements for database queries. However, the PHP docs say:
Every prepared statement occupies server resources. Statements should be closed explicitly immediately after use. If not done explicitly, the statement will be closed when the statement handle is freed by PHP.
Using a prepared statement is not always the most efficient way of executing a statement. A prepared statement executed only once causes more client-server round-trips than a non-prepared statement.
From http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
Given the above, if you're only going to use a query once, isn't it better not to use prepared statements?
You should always prefer working with prepared statements for the security benefits. They all but eliminate vulnerability to SQL injection, without you having to worry about SQL-escaping values. If you have a query that doesn't run often, though (less than once per request), a prepared statement can take longer to run.
Following are the limitations of prepared statements: Since a PreparedStatement object represents only one SQL statement at a time, we can execute only one statement by one prepared statement object. To prevent injection attacks it does not allow more than one value to a place holder.
1. PreparedStatement allows you to write a dynamic and parametric query. By using PreparedStatement in Java you can write parameterized SQL queries and send different parameters by using the same SQL queries which is a lot better than creating different queries.
PreparedStatement allows us to execute dynamic queries with parameter inputs. PreparedStatement provides different types of setter methods to set the input parameters for the query. PreparedStatement is faster than Statement.
The difference considered to be negligible.
Nevertheless, one have to distinguish native prepared statements from the general idea of a prepared statement.
The former is just a form of running queries supported by most of DBMS, explained here. Its usage can be questioned.
The latter is a general idea of substituting actual data with a placeholder, implying further processing of the substituted data. It is widely used in programming, a well-known printf()
function is an example. And this latter approach have to be ALWAYS used to run a query against a database, no matter if it is backed by native prepared statements or not. Because:
So, even if you consider not using native prepared statements (which is quite okay), you have to always create your queries using placeholders instead of the actual data. For this purpose you can use PDO, which works exactly as described above - by default it just emulate prepares, means regular SQL query being created out prepared query and data, and then run against database.
However, PDO lacks support for many important data types, such as identifier or an array - thus it makes you unable to always use placeholders and thus makes an injection quite possible. Luckily, safeMysql has placeholders for the every data type and allows you to run queries safely.
SQL injection is the reason why prepared statements are preferred way. If your query is constant then there is no reason to use prepared statements. If you are sure that your query will be safe even if you construct it by string concatenation then it is ok to skip prepared statements.
Constants are OK.
$sql = "SELECT * FROM foobar";
If there is no chance that $id variable will contain any other type of data than int then this is ok.
$sql = "SELECT * FROM users WHERE id=".$id;
Usually it is easy to fail to ensure that the data contained in variable is the right type so prepared statements are more secure way of constructing the query.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With