Reputation: 847
Is it worth it using a prepared mysql statement for one query?
If I have a simple prepared query like this:
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $firstname, $lastname, $email);
// set parameters and execute
$firstname = "John";
$lastname = "Doe";
$email = "[email protected]";
$stmt->execute();
And I only execute the query once during the lifetime of the page.
Is it worth it using a prepared mysql statements for queries like that?
Upvotes: 0
Views: 55
Answers (1)
Reputation: 522081
What you want most of all here is the security of parameterised queries. The API to do parameterised queries happens to be the same as the one for prepared statements. Or in other words, the API that enables the separation of the query structure from the submission of the values kills two birds with one stone:
- Safe transfer of arbitrary values to the database engine.
- Reusability of already parsed queries.
It's worth it if you're just using one of them, you don't need to use both aspects at the same time to justify the use of the prepare API.
The alternative of manually escaping values is always more error prone and verbose.
Upvotes: 1
Related Questions
- Are Prepared Statements a waste for normal queries? (PHP)
- Is using prepared statements necessary?
- Using array instead of lots of db queries in PHP
- One query instead of multiple
- PHP/mysqli - prepared statement (in a loop) or multi_query
- Advantages of using prepared statements over normal mysqli statements?
- Is my method of fetching MySql data using prepared statements inefficient and taxing on my server?
- Do MySQL prepared queries provide a performance benefit for once-per-session queries?
- prepare() vs query() mysqli
- Is it better to use a prepared Select statement when you are only doing one select?