Re: Prepared queries vs Non-prepared

Denis Gasparin wrote:
> Hi!
> I am testing the PHP PDO library versus the old style PHP postgres
> functions.
>
> I noted that PDO library declare and prepare every statement. I mean:
>
> $s = $db->query("select * from test where field=1");
>
> is equivalent to
>
> $s = $db->prepare("select * from test where field=?");
> $s->execute(array('1'));

> Speaking about postgresql performance...
> would not it be more efficient executing directly the query in the first
> case ($db->query) than
> preparing a statement without parameters and then executing it?

It almost certainly is faster, at least for very short queries that you
only run once. Hopefully if I run the same query twice in a row, the PDO
library doesn't prepare it twice.

However, the separate prepare/execute is a little safer since it's
harder for a user-supplied parameter to have the wrong type or do sql
injection.

--
   Richard Huxton
   Archonet Ltd