NYCPHP Meetup

[Cliff Hirsch]

This brings up an interesting point. Many people slam prepared
statements for being slow for non-repetitive querys. However, if you
need to make multiple trips to the database engine and back to escape a
handful of parameters, I wonder which method is actually faster --
especially if your DB is on a different server. Simply climbing up and
down the TCP/IP stack burns a lot of cycles, unless you happen to have
one of the TOEs that I have written about (TCP/IP offload/acceleration
engine). I recall seeing a performance comparison somewhere, but it's
location escapes me -- no pun intended.

-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of David Krings
Sent: Tuesday, October 31, 2006 7:22 PM
To: NYPHP Talk
Subject: Re: [nycphp-talk] mysql_real_escape_string WAS: Mysql question!

Hi,

    my guess is that some of the characters escaped using the mysql 
escaping cannot be reasonably expected to come in from user input. 
Mysql_real_escape_string escapes all these:
\x00, \n, \r, \, ', " and \x1a
    but I can't think of any way on how to get \x1a as user input 
(assuming that this is the hex value for an ASCII character). Even NULL 
is difficult, but not impossible. I guess that the "ultmately 
unecessary" looks at it from a viewpoint of what is possible assuming 
the user is the idiot and not the developer. It consumes a trip to the 
database engine and back, whereas addslashes doesn't. I don't know, my 
arguments are a bit thin and it may really just like that: "ultimately 
unecessary" as long as the string was addslashed.

    David K.

Cliff Hirsch wrote:
> I just read the same thing in Cal's book and was going to ask the
group
> about this. While prepared statements sound nice in theory, there are
> many of us that still hack together "old-fashioned" queries. And what
> does "ultimately unnecessary" mean anyway? Consumes more mips than its
> worth?