[nycphp-talk] mysql_real_escape_string WAS: Mysql question!
cliff at pinestream.com
Tue Oct 31 19:36:24 EST 2006
This brings up an interesting point. Many people slam prepared
statements for being slow for non-repetitive querys. However, if you
need to make multiple trips to the database engine and back to escape a
handful of parameters, I wonder which method is actually faster --
especially if your DB is on a different server. Simply climbing up and
down the TCP/IP stack burns a lot of cycles, unless you happen to have
one of the TOEs that I have written about (TCP/IP offload/acceleration
engine). I recall seeing a performance comparison somewhere, but it's
location escapes me -- no pun intended.
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of David Krings
Sent: Tuesday, October 31, 2006 7:22 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] mysql_real_escape_string WAS: Mysql question!
my guess is that some of the characters escaped using the mysql
escaping cannot be reasonably expected to come in from user input.
Mysql_real_escape_string escapes all these:
\x00, \n, \r, \, ', " and \x1a
but I can't think of any way on how to get \x1a as user input
(assuming that this is the hex value for an ASCII character). Even NULL
is difficult, but not impossible. I guess that the "ultmately
unecessary" looks at it from a viewpoint of what is possible assuming
the user is the idiot and not the developer. It consumes a trip to the
database engine and back, whereas addslashes doesn't. I don't know, my
arguments are a bit thin and it may really just like that: "ultimately
unecessary" as long as the string was addslashed.
Cliff Hirsch wrote:
> I just read the same thing in Cal's book and was going to ask the
> about this. While prepared statements sound nice in theory, there are
> many of us that still hack together "old-fashioned" queries. And what
> does "ultimately unnecessary" mean anyway? Consumes more mips than its
More information about the talk