| PDO MySQL [message #173215] |
Mon, 28 March 2011 12:57  |
smerf
Messages: 12
Registered: January 2011
Karma: 0
|
Junior Member |
|
|
How many requests to database is in this example ?
$pole1 = $dbh->quote($pole1);
$pole2 = $dbh->quote($pole2);
$pole3 = $dbh->quote($pole3);
$sql = 'UPDATE Tabela SET pole1 = $pole1, pole2 = $pole2 WHERE pole3 = $pole3';
$dbh->query($sql)
Does PDO::quote() do request on every call ?
And what about old mysql_real_escape_string ?
Will my code be significantly slower if I I have much more fields in sql ex. 10, 15 .. ?
|
|
|
|
| Re: PDO MySQL [message #173216 is a reply to message #173215] |
Mon, 28 March 2011 13:47  |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 3/28/2011 8:57 AM, smerf wrote:
> How many requests to database is in this example ?
>
> $pole1 = $dbh->quote($pole1);
> $pole2 = $dbh->quote($pole2);
> $pole3 = $dbh->quote($pole3);
>
> $sql = 'UPDATE Tabela SET pole1 = $pole1, pole2 = $pole2 WHERE pole3 =
> $pole3';
> $dbh->query($sql)
>
>
> Does PDO::quote() do request on every call ?
> And what about old mysql_real_escape_string ?
>
> Will my code be significantly slower if I I have much more fields in sql
> ex. 10, 15 .. ?
Are you having a performance problem? If so, you should locate that
performance problem. If you aren't, don't worry about it.
The reason for calling quote() has nothing to do with performance, and
EVERYTHING to do with security (as well as ensuring a properly quoted
string is passed to the database). Do NOT compromise security for
performance, especially if you don't know if a performance problem exists!
And to answer you question, yes, quote() would call the database library
for every call (where the driver accepts such calls). And
mysql_real_escape_string() is not "old" - it is the function which
eventually gets called by the mysql PDO driver.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: PDO MySQL [message #173232 is a reply to message #173215] |
Mon, 28 March 2011 16:17 |
Thomas Mlynarczyk
Messages: 131
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
smerf schrieb:
> $pole1 = $dbh->quote($pole1);
> $pole2 = $dbh->quote($pole2);
> $pole3 = $dbh->quote($pole3);
>
> $sql = 'UPDATE Tabela SET pole1 = $pole1, pole2 = $pole2 WHERE pole3 =
> $pole3';
> $dbh->query($sql)
You probably meant $sql = "..." (double quotes), otherwise $poleX will
not be replaced with that variable's value. In addition to what Jerry
wrote: You should really use prepared statements instead of manual quoting:
$sql = 'UPDATE Tabela SET pole1 = :pole1, pole2 = :pole2 WHERE pole3 =
:pole3';
$query = $pdo->prepare( $sql );
$query->execute( array(
'pole1' => $pole1, // no need for $pdo->quote( $poleX )
'pole2' => $pole2,
'pole3' => $pole3 ) );
This way you don't need to bother with the quoting and you are immune
against SQL injections.
Greetings,
Thomas
--
Ce n'est pas parce qu'ils sont nombreux à avoir tort qu'ils ont raison!
(Coluche)
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]