Re: Prep. Statements only in mysql-i? [message #177641 is a reply to message #177640] |
Wed, 11 April 2012 23:16 |
Thomas 'PointedEars'
Messages: 701 Registered: October 2010
Karma:
|
Senior Member |
|
|
Alexandra Herzog wrote:
> I would like to change my homepage (php5, mysql) to use 'prepared
> statements'.
>
> Should I use the mysql-i object?
Yes, unless PDO is or can be made available.
> Or do 'prepared statements' also exist in the normal, plain old mysql
> object, which I know from php4 ?
No. RTFM: <http://php.net/manual/en/set.mysqlinfo.php>
> PDO seems to offer only database independance,
PDO offers much more, including an convenient API for prepared statements
and transactions. RTFM: <http://php.net/manual/en/intro.pdo.php>
Between mysqli and PDO, I have decided in favor of PDO primarily because on
top of several database drivers, PDOStatement::execute() allows to pass
parameters as an associative array without binding values to variables
first. Therefore, I have found PDO's to be a very suitable, sufficiently
flexible API for use in MVC-based frameworks, including mine. AFAIK, Zend
Framework uses PDO by default, too.
> but my hoster only offers mysql
Tough luck.
> and I don't intend to change that in the future (it's just a small
> homepage).
You will have to make a change if you want to use prepared statements and
thereby gain a minimum of Web application security.
BTW, there is also de.comp.lang.php, which (also?) has a FAQ.
PointedEars
--
Prototype.js was written by people who don't know javascript for people
who don't know javascript. People who don't know javascript are not
the best source of advice on designing systems that use javascript.
-- Richard Cornford, cljs, <f806at$ail$1$8300dec7(at)news(dot)demon(dot)co(dot)uk>
|
|
|