NYCPHP Meetup

[Adam Maccabee Trachtenberg]

On Wed, 23 Mar 2005, David Mintz wrote:

> On Tue, 22 Mar 2005, Daniel Convissor wrote:
>
> > Prepare/execute is only efficient when you do one
> > prepare of the query and then will be executing that the same exact query
> > (without changing table/column names) multiple times.
>
> Is this true even when the back end is MySQL 4.1.x and the underlying PHP
> API is mysqli? I thought I read an article on zend.com that extolled the
> benefits of prepare/execute and suggested it was always a win, but maybe I
> was smoking crack again and misunderstood.
>
> Follow-up question: is it a wash if you are only doing the query once, or
> is it actually less efficient w/ prepare/execute than without? Let's
> assume you are not working with TEXT or BLOBs

When you don't prepare the SQL statement ahead of time, the database
has to do the preparation itself before it executes the query. If you
only make the query a single time, there will be some additional
overhead with an explicit preparation, as there's additional
communication back and forth between the db and the client.

However, I would say that, at least in the case of MySQLi and MySQL
4.1, that this can be worth it, as it allows bound parameters. The big
win here is that you don't need to call mysqli_real_escape_slashes()
on strings. This can reduce your chance of opening up yourself to a
SQL injection attack. So, it's a security win, even if it's a minor
speed loss.

-adam

-- 
adam at trachtenberg.com | http://www.trachtenberg.com
author of o'reilly's "upgrading to php 5" and "php cookbook"
avoid the holiday rush, buy your copies today!