Comment Re:Quarentine the SQL (Score 1) 974
You don't use prepared statement to avoid SQL-injection. You use it to avoid server-side parsing. Make sure you only call prepared statement once per unique SQL in each physical DB-connection? Quit hard to do if you have a connection pool. But this is the way to go for max scalibility.
To avoid parsing is the number one thing here.
(using bind variables).
Avoiding SQL-injection is just some thing extra you get for free. But this can be achived with
statement aswell.
To avoid parsing is the number one thing here.
(using bind variables).
Avoiding SQL-injection is just some thing extra you get for free. But this can be achived with
statement aswell.
