Nowadays, "Prepared claims" appear to be the sole way anybody suggests delivering queries to some database. I even see recommendations to make use of prepared claims for saved procs. However, do in order to the additional query prepared claims require - and also the small amount of time they last - I am convinced that they're only helpful for any type of Place/UPDATE queries.

I am wishing someone can correct me about this, however it just appears just like a repeat from the whole "Tables are evil" CSS factor. Tables are just evil if employed for designs - not tabular data. Using DIV's for tabular information is a method breach of WC3.

Like smart, plain SQL (or that produced from AR's) appears to become a lot more helpful for 80% from the queries used, which of all sites really are a single Choose to not be repeated again that page load (I am talking about scripting languages like PHP here). Why would I make my over-taxed DB make a statement that it's simply to run once prior to being removed?


A prepared statement is specific to the session that was produced. Should you terminate a session without deallocating a formerly prepared statement, the server deallocates it instantly.

So in the finish of the script PHP will auto-close the bond and you'll lose the prepared statement simply to have your script re-produced it around the next load.

Shall We Be Held missing something or perhaps is this just a method to decrease performance?


It dawned on me that i'm presuming new connections for every script. I'd think that if your persistent connection can be used then these complaints would disappear. Is correct?


It appears that even when persistent connections would be the solution - they're not a very good option for the majority of the web - particularly if you use transactions. So I am to where you started getting simply the benchmarks below to take...


Many people simply repeat the saying "prepared claims safeguard against SQL injection" which does not full explain the issue. The provided "escape" way of each DB library also safeguards against SQL injection. But it's in addition to that:

When delivering a question the standard way, the customer (script) converts the information into strings which are then passed to the DB server. The DB server then uses CPU energy to convert it well into the correct binary datatype. The database engine then parses the statement and searches for syntax errors.

When utilizing prepared claims... the data are submitted a local binary form, which saves the conversion-CPU-usage, and helps make the bandwith more efficient. Clearly, this can also reduce bandwidth usage when the client isn't co-situated using the DB server.

...The variable types are predefined, and therefore MySQL consider these figures, and they don't need to become steered clear of.

Because of OIS for finally setting me strait about this problem.

unlike the CSS tables debate, you will find obvious security implications with prepared claims.

if you are using prepared claims as the only method to put user-provided data in a query, they are absolutely bullet-proof if this involves SQL injection.