1

I was using http://www.yiiframework.com/doc/guide/1.1/en/database.dao

Data Access Objects (DAO) uses PDO.

Was unsure which was best

Option One - Inline Code

    $alias_name =Utils::checkEnteredData($alias_name);
    $connection = Yii::app()->db;       
    $sql_images = $connection->createCommand("SELECT ig.id, 
        ig.is_flickr,                     
        ig.main_image,
        ig.author_id,
        ig.description,
        ig.latitude, 
        ig.longitude,
        ig.is_youtube, 
        ig.author_id,       
        ig.flickr_youtube_id, 
        ig.thumbnail_image_medium, 
        ig.thumbnail_image, 
        ig.alias_title,
                    ig.image_hits, 
                    ig.title, 
                    ig.created_on,
        a.title,
        a.alias_title as album_alias_title,
        igo.realname, 
        igo.username,
                    igo.location from image_gallery ig 
                    JOIN album a ON ig.album_id = a.id 
                    LEFT JOIN image_gallery_owner igo ON ig.author_id = igo.id  
                    WHERE ig.approved =:approved AND ig.visible=:visible AND ig.alias_title =:alias_title LIMIT 1");
    $sql_images->bindValues(array(':alias_title'=>$alias_name, ':approved'=>'Yes', ':visible'=>'1'));               
    $image = $sql_images->queryAll();

Option 2 Stored Procedure:

  public function getImageFromAliasTitle($alias_title)  
        {     
            $alias_title =Utils::checkEnteredData($alias_title);  
            $connection = Yii::app()->db;   
            $command = $connection->createCommand("CALL getSingleImage(:alias_title)");   
            $command->bindParam(":alias_title",$alias_title,PDO::PARAM_STR);  
            $image = $command->queryAll();  
            return $image;  
        }
JvdBerg
  • 21,777
  • 8
  • 38
  • 55
Matthew Chambers
  • 869
  • 3
  • 20
  • 34

1 Answers1

0

It depends, but I'd still recommend on using stored procedure for your case. The major reasons being(Taken from a previous answer):

  1. Stored procedure have the of benefits of no need to grant users direct table access.

  2. Since each non-parametrized query is a new, different query to SQL Server, it has to go through all the steps of determining the execution plan, for each query (thus wasting time - and also wasting plan cache space, since storing the execution plan into plan cache doesn't really help in the end, since that particular query will probably not be executed again)

  3. Non-parametrized queries are at risk of SQL injection attack and should be avoided at all costs.

This is an interesting read too.

Community
  • 1
  • 1
hjpotter92
  • 78,589
  • 36
  • 144
  • 183