PDO::prepare or PDO::query?

D

Dark_Dante2015-06-30 21:30:07

PHP

Dark_Dante, 2015-06-30 21:30:07

Hello.
Tell me, does it make sense to use PD::prepare instead of PDO::query?
I heard that prepared queries to the database are preferable, since prepare gives an increase in speed on a large number of queries of the same type.
Is it true that prepare doesn't make sense to use for INSERT/UPDATE?
Which is better to use when binding input values - named (:param) or unnamed (?) pseudo-variables?
Does using prepared queries provide full protection against sql injections?
Thanks in advance

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

Andrey Burov, 2015-07-01
@BuriK666

Tell me, does it make sense to use PD::prepare instead of PDO::query?

query does not replace prepare

Is it true that prepare doesn't make sense to use for INSERT/UPDATE?

Only it should be used. You can do parameter binding. (see below)

Which is better to use when binding input values - named (:param) or unnamed (?) pseudo-variables?

Irrelevant.

Does using prepared queries provide full protection against sql injections?

Yes.

A

Alexander Litvinenko, 2015-06-30
@edli007

Of course, I don’t pretend to be a mega specialist in SQL, but
PDO::prepare - prepares an expression on the server that can be used repeatedly, i.e. 1 request or 100 with different parameters is not so important.
PDO::query - prepares and uses an expression at a time, for all subsequent queries, even of the same type, the query will be built from scratch.

N

Nikita, 2015-07-01
@Panda_Tamara

There will be protection. How complete you can only be people involved in sql injections. In this matter, you will have to rely on the developers. Based on the shielding provided by the use of placeholders, then yes, in theory it is complete.
Does it make sense to use PD::prepare instead of PDO::query? Let's proceed from the fact that the manuals for the extension indicate the use of prepare everywhere, even for single, non-repeating requests.