Обсуждение: Prepared queries vs Non-prepared
Hi! I am testing the PHP PDO library versus the old style PHP postgres functions. I noted that PDO library declare and prepare every statement. I mean: $s = $db->query("select * from test where field=1"); is equivalent to $s = $db->prepare("select * from test where field=?"); $s->execute(array('1')); I logged the queries sent to the database and i saw that they are the same (apart obviously the parameter): PREPARE pdo_pgsql_stmt_b7a71234 AS select * from test where field=1 <BIND> EXECUTE <unnamed> [PREPARE: select * from test where field=1] PREPARE pdo_pgsql_stmt_b7a713b0 AS select * from test where field=$1 <BIND> EXECUTE <unnamed> [PREPARE: select * from test where field=$1] Speaking about postgresql performance... would not it be more efficient executing directly the query in the first case ($db->query) than preparing a statement without parameters and then executing it? Thank you in advance, Denis
Denis Gasparin wrote: > Hi! > I am testing the PHP PDO library versus the old style PHP postgres > functions. > > I noted that PDO library declare and prepare every statement. I mean: > > $s = $db->query("select * from test where field=1"); > > is equivalent to > > $s = $db->prepare("select * from test where field=?"); > $s->execute(array('1')); > Speaking about postgresql performance... > would not it be more efficient executing directly the query in the first > case ($db->query) than > preparing a statement without parameters and then executing it? It almost certainly is faster, at least for very short queries that you only run once. Hopefully if I run the same query twice in a row, the PDO library doesn't prepare it twice. However, the separate prepare/execute is a little safer since it's harder for a user-supplied parameter to have the wrong type or do sql injection. -- Richard Huxton Archonet Ltd