Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
How many requests to database is in this example ?

$pole1 = $dbh->quote($pole1);
$pole2 = $dbh->quote($pole2);
$pole3 = $dbh->quote($pole3);

$sql = 'UPDATE Tabela SET pole1 = $pole1, pole2 = $pole2 WHERE pole3 = $pole3';

Does PDO::quote() do request on every call ?
And what about old mysql_real_escape_string ?

Will my code be significantly slower if I I have much more fields in sql ex. 10,
15 .. ?


On 3/28/2011 8:57 AM, smerf wrote:
Quoted text here. Click to load it

Are you having a performance problem?  If so, you should locate that
performance problem.  If you aren't, don't worry about it.

The reason for calling quote() has nothing to do with performance, and
EVERYTHING to do with security (as well as ensuring a properly quoted
string is passed to the database).  Do NOT compromise security for
performance, especially if you don't know if a performance problem exists!

And to answer you question, yes, quote() would call the database library
for every call (where the driver accepts such calls).  And
mysql_real_escape_string() is not "old" - it is the function which
eventually gets called by the mysql PDO driver.

Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.


smerf schrieb:

Quoted text here. Click to load it

You probably meant $sql = "..." (double quotes), otherwise $poleX will
not be replaced with that variable's value. In addition to what Jerry
wrote: You should really use prepared statements instead of manual quoting:

$sql = 'UPDATE Tabela SET pole1 = :pole1, pole2 = :pole2 WHERE pole3 =
$query = $pdo->prepare( $sql );
$query->execute( array(
     'pole1' => $pole1,  // no need for $pdo->quote( $poleX )
     'pole2' => $pole2,
     'pole3' => $pole3 ) );

This way you don't need to bother with the quoting and you are immune
against SQL injections.


Ce n'est pas parce qu'ils sont nombreux avoir tort qu'ils ont raison!

Site Timeline