FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » PDO MySQL
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
PDO MySQL [message #173215] Mon, 28 March 2011 12:57 Go to next message
smerf is currently offline  smerf
Messages: 12
Registered: January 2011
Karma: 0
Junior Member
How many requests to database is in this example ?

$pole1 = $dbh->quote($pole1);
$pole2 = $dbh->quote($pole2);
$pole3 = $dbh->quote($pole3);

$sql = 'UPDATE Tabela SET pole1 = $pole1, pole2 = $pole2 WHERE pole3 = $pole3';
$dbh->query($sql)


Does PDO::quote() do request on every call ?
And what about old mysql_real_escape_string ?

Will my code be significantly slower if I I have much more fields in sql ex. 10, 15 .. ?
Re: PDO MySQL [message #173216 is a reply to message #173215] Mon, 28 March 2011 13:47 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 3/28/2011 8:57 AM, smerf wrote:
> How many requests to database is in this example ?
>
> $pole1 = $dbh->quote($pole1);
> $pole2 = $dbh->quote($pole2);
> $pole3 = $dbh->quote($pole3);
>
> $sql = 'UPDATE Tabela SET pole1 = $pole1, pole2 = $pole2 WHERE pole3 =
> $pole3';
> $dbh->query($sql)
>
>
> Does PDO::quote() do request on every call ?
> And what about old mysql_real_escape_string ?
>
> Will my code be significantly slower if I I have much more fields in sql
> ex. 10, 15 .. ?

Are you having a performance problem? If so, you should locate that
performance problem. If you aren't, don't worry about it.

The reason for calling quote() has nothing to do with performance, and
EVERYTHING to do with security (as well as ensuring a properly quoted
string is passed to the database). Do NOT compromise security for
performance, especially if you don't know if a performance problem exists!

And to answer you question, yes, quote() would call the database library
for every call (where the driver accepts such calls). And
mysql_real_escape_string() is not "old" - it is the function which
eventually gets called by the mysql PDO driver.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: PDO MySQL [message #173232 is a reply to message #173215] Mon, 28 March 2011 16:17 Go to previous message
Thomas Mlynarczyk is currently offline  Thomas Mlynarczyk
Messages: 131
Registered: September 2010
Karma: 0
Senior Member
smerf schrieb:

> $pole1 = $dbh->quote($pole1);
> $pole2 = $dbh->quote($pole2);
> $pole3 = $dbh->quote($pole3);
>
> $sql = 'UPDATE Tabela SET pole1 = $pole1, pole2 = $pole2 WHERE pole3 =
> $pole3';
> $dbh->query($sql)

You probably meant $sql = "..." (double quotes), otherwise $poleX will
not be replaced with that variable's value. In addition to what Jerry
wrote: You should really use prepared statements instead of manual quoting:

$sql = 'UPDATE Tabela SET pole1 = :pole1, pole2 = :pole2 WHERE pole3 =
:pole3';
$query = $pdo->prepare( $sql );
$query->execute( array(
'pole1' => $pole1, // no need for $pdo->quote( $poleX )
'pole2' => $pole2,
'pole3' => $pole3 ) );

This way you don't need to bother with the quoting and you are immune
against SQL injections.

Greetings,
Thomas


--
Ce n'est pas parce qu'ils sont nombreux à avoir tort qu'ils ont raison!
(Coluche)
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: Stats comp.lang.php (last 7 days)
Next Topic: Failed @getimagesize() print to error_log?
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 23:10:27 GMT 2024

Total time taken to generate the page: 0.02580 seconds