[TYPO3-english] Prepared statements.

Jigal van Hemert jigal at xs4all.nl
Wed Nov 19 11:52:08 CET 2008

Hi Dmitry,

> Vahan Amirbekyan wrote:
>> what is the deal with prepared statements.
>> Are they supported in v4.x ?
> Performance may be, though no one did tests. Security I do not
> see how.

Security will not improve by using prepared statements where MySQL
server/client is concerned, but the PHP interface will either be PDO or

http://www.php.net/manual/en/pdo.quote.php mentions:
"If you are using this function to build SQL statements, you are strongly
recommended to use PDO::prepare() to prepare SQL statements with bound
parameters instead of using PDO::quote() to interpolate user input into a
SQL statement. Prepared statements with bound parameters are not only more
portable, more convenient, immune to SQL injection, but are often much
faster to execute than interpolated queries, as both the server and client
side can cache a compiled form of the query."

I'm not sure whether mysqli::prepare() and mysqli_stmt::bind_param() will
require data to be escaped...

> Dmitry Dulepov
> My TYPO3 book: http://www.packtpub.com/typo3-extension-development/book
Excellent book BTW :-)

Jigal van Hemert.

More information about the TYPO3-english mailing list