0

I understand that it is the best way to prevent sql injections, but I read that prepared statements double the requests made to database. And this is bad for performance.

So despite this, are prepared statements considered a best practice? Or is there a better and safer way?

Ant100
  • 403
  • 1
  • 8
  • 26
  • 2
    Where did you read that ? Usually prepared statement result in better or equal performances. And they're certainly not considered a best practice, they're the best way to be sure your data are properly encoded. – Denys Séguret Mar 25 '13 at 20:16
  • 1
    I believe prepared statements may have a minor performance impact for one-off queries that you never use again. But for queries that you reuse, just with different parameter values, then prepared statements have a significant performance boost. – kufudo Mar 25 '13 at 20:19
  • That possible dup question has good answers. You can also find a good explanation in [Wikipedia](https://en.wikipedia.org/wiki/Prepared_statement). – DOK Mar 25 '13 at 20:21
  • I read it in a comment from an article pdo vs mysqli. – Ant100 Mar 25 '13 at 20:23
  • I was confused about it, thanks for your answer @kufudo – Ant100 Mar 25 '13 at 20:25
  • @kufudo have you seen many (properly designed) web-applicatons that use one query more than once? – Your Common Sense Mar 26 '13 at 05:57
  • 1
    To the OP: for the local server the difference considered to be negligible. Though, if database is on a distant server, this could be a problem. – Your Common Sense Mar 26 '13 at 05:59
  • I have seen some people combining parameterized queries with inline dynamically generated values (e.g. product ids, timestamps, etc). Obviously that's bad design, but in that situation, it would lead to performance impacts. – kufudo Mar 26 '13 at 06:47

0 Answers0