Reputation: 31481
Native prepared statements: are they so limited?
An informative-sounding blog post from 2006 states these facts about using native prepared statements in PDO:
- Native prepared statements cannot take advantage of the query cache, resulting in lower performance.
- Native prepared statements cannot execute certains types of queries, such as "SHOW TABLES".
- Native prepared statements don't correctly communicate column lengths for certain other "SHOW" queries, resulting in garbled results.
How much of this is still true today?
Upvotes: 2
Views: 246
Answers (2)
Reputation: 101936
No, this is not true if you are using a recent MySQL version. At least to the most part.
Prepared statements make use of the query cache since MySQL 5.1.17.
Nearly all SQL statements can be run as prepared statements. You can find a list in the MySQL docs.
SHOW TABLESin particular is not in that list, but in all honestly, have you ever used that SQL statement from PHP?I don't know anything about that, but I'd assume that it is fixed.
Don't forget that the emulation of prepared statements is not encoding-safe and as such may (depending on the exact condition) still allow SQL injections.
Upvotes: 4
Reputation: 31740
- falae. As of MySQL 5.1.17 the query cache works with prepared statements
- Why would you need to prepare a statement to do a SHOW TABLES?
- Can you cite a source for that? I've personally not had any issues
Upvotes: 3
Related Questions
- When *not* to use prepared statements?
- PDO prepared statements in pgsql vs mysql
- PDO, Mysql and native prepared statements
- PHP PDO - Using prepared statements causes server error
- Using prepared statements for MySQL query options with PDO
- PDO - prepared statements
- PDO and PHP/MySQL: what is the heck is wrong with PDO's prepared statements?
- PDO prepared statement, correctly used?
- Can I use real prepared statements for MySQL with PDO now?
- Safely using prepared statements to query database