Prepared statements can help increase security by separating SQL logic from the data being supplied. This separation of logic and data can help prevent a very common type of vulnerability called an SQL injection attack.
The way the Mysql cookbook explained it it was useful for recurring queries because you have a prepared statement that you only change the values you want. For a single query (which is what this is) it seemed a waste of code to me. Of course, I didn’t know it would also take care of escaping characters.
Honestly though, for a sinlge query it still seems like a waste of code unless I’m missing some other magic of Prepared Statements.
The query you use is stored in MySQLs memory a lot longer then the script itself. While it may be used in the script once, it is used in multiple instances of that script. Prepared Statements transcend PHP instances. Furthermore, making SQL Injection almost impossible, making the above “escaping” code obsolete.
Prepared Statements are very practical even for single SQL queries. There is actually less code for Prepared Statements, the actual work is done on the SQL server instead. (If it supports Prepared Statements of course.)
If you don’t want to use Prepared Statements, at least use the MySQLi extension instead of the older set.
That’s interesting, I didn’t know that, none of this was mentioned in the cookbook nor did I see it in the links you sent, but I did read them on my iphone this morning before coffee so maybe I just missed them.
While we’re on the subject, what is the difference between Mysqli and mysql connectors?
Well, this is a whole new box of frogs. Having started with php and mysql many, many moons ago I stayed with the old ways and have been slow to update (never mind that I forgot a lot of stuff in the interim
But this looks really interesting, will try to incorporate it into this current project.
Once again, thank you very much to all who helped, this forum is invaluable.
Stay tuned for some more pestering questions about mysqli now
DO NOT use mysqli barebone, thats about the worst way to do prepared statements. Use PDO Mysql or a Mysqli wrapper, that has prepare statements in it and much easier interface.
I wrote a mysqli wrapper, which is now integrated with the company I work for and only supports 5.3, but you can use the older version (for 5.2) at http://gorilla3d.com/v8/wiki/doku.php?id=mysqli_db. If you do have 5.3 just PM me and I’ll send you the updated file.