PHP - security etc
Peter Corlett
abuse at cabal.org.uk
Wed Mar 7 15:38:51 GMT 2007
On Wed, Mar 07, 2007 at 02:30:41PM +0000, Michael Stillwell wrote:
[...]
> (As a side note, does anyone else find it a bit odd that MySQL prepared
> statements don't/can't use the query cache? Is there any way around this?
> Is this a problem with other DBs?)
AFAICS, queries are reparsed each time with Perl DBI too.
PostgreSQL seems to do the right thing, although the use of placeholders can
sometimes rob the optimiser of a chance to select an even better query plan.
I'm not entirely convinced that there's much of a performance gain (or
loss!) from using placeholders, but it *does* at least make SQL injection
attacks disappear, which is definitely more important. I'll take correct
over fast every time (which is also why I'll pick PostgreSQL over MySQL when
given the choice.)
More information about the london.pm
mailing list