HartleySan Posted September 17, 2012 Share Posted September 17, 2012 This might seem like a rather simple question, but I can't find an answer anywhere, so I'll ask it here. All the literature about prepared statements always says something like, "You only have to prepare the query once, and then you don't have to anymore after that." Related to this, my question is: Does this mean that you only have to prepare the statement/query once ever (no matter how many times a script is run), or does it mean that you only have to prepare the query once every time a PHP script is executed? If it's the latter, then I have to ask: Are there any benefits to using prepared statements if you end up executing a certain type of query only once each time a script is run? It seems like the overhead required to set up the prepared statement would be greatly than simply executing the query normally. Any thoughts and opinions are greatly appreciated. Thank you. Link to comment Share on other sites More sharing options...
rob Posted September 17, 2012 Share Posted September 17, 2012 Prepared statements are run every time a script is run. There are two benefits to using prepared statements: Security, prevents SQL injection attacks Speed, for a query that needs to be run multiple times (for the same script execution), the query is sent once to MySQL, then values are sent separately. http://php.net/manua...-statements.php Link to comment Share on other sites More sharing options...
Larry Posted September 17, 2012 Share Posted September 17, 2012 Yeah, the performance benefits arise when the same query is executed multiple times within the same script, which isn't that common, really. MySQL can, for example, cache queries (of any kind) to improve their performance, too. Link to comment Share on other sites More sharing options...
HartleySan Posted September 17, 2012 Author Share Posted September 17, 2012 So I guess the question is: Even if I only execute one query (or one type of query) per script, should I still use prepared statements for the security benefits? Also, just to confirm, if I used prepared statements, I don't need to use (or perhaps, I shouldn't use) mysqli_real_escape_string, right? Thanks rob and Larry. Edit: Sorry for all these basic questions, but for the longest time, I only used stored procedures, but recently, I switched hosting services, and the new one doesn't allow the use of stored procedures. Link to comment Share on other sites More sharing options...
Larry Posted September 17, 2012 Share Posted September 17, 2012 As for whether you should always use prepared statements for security benefits, you'll get different answers. My opinion is "No", that's not necessary. You can certainly use prepared statements if you want, but from what I have read and believe, mysqli_real_escape_string() and other techniques, when done right, is just as secure. Other people don't believe that to be the case, however, and that only prepared statements offer true security. You don't use mysqli_real_escape_string() with prepared statements, though. I do sometimes use prepared statements, but I'd often rather go the full next step to stored procedures, if I can. Link to comment Share on other sites More sharing options...
HartleySan Posted September 17, 2012 Author Share Posted September 17, 2012 Larry, thanks a lot as always for your advice and opinion. Link to comment Share on other sites More sharing options...
Recommended Posts