Do you have a question? Post it now! No Registration Necessary. Now with pictures!
March 28, 2011, 12:57 pm
rate this thread
$pole1 = $dbh->quote($pole1);
$pole2 = $dbh->quote($pole2);
$pole3 = $dbh->quote($pole3);
$sql = 'UPDATE Tabela SET pole1 = $pole1, pole2 = $pole2 WHERE pole3 = $pole3';
Does PDO::quote() do request on every call ?
And what about old mysql_real_escape_string ?
Will my code be significantly slower if I I have much more fields in sql ex. 10,
15 .. ?
Re: PDO MySQL
Are you having a performance problem? If so, you should locate that
performance problem. If you aren't, don't worry about it.
The reason for calling quote() has nothing to do with performance, and
EVERYTHING to do with security (as well as ensuring a properly quoted
string is passed to the database). Do NOT compromise security for
performance, especially if you don't know if a performance problem exists!
And to answer you question, yes, quote() would call the database library
for every call (where the driver accepts such calls). And
mysql_real_escape_string() is not "old" - it is the function which
eventually gets called by the mysql PDO driver.
Remove the "x" from my email address
JDS Computer Training Corp.
Re: PDO MySQL
You probably meant $sql = "..." (double quotes), otherwise $poleX will
not be replaced with that variable's value. In addition to what Jerry
wrote: You should really use prepared statements instead of manual quoting:
$sql = 'UPDATE Tabela SET pole1 = :pole1, pole2 = :pole2 WHERE pole3 =
$query = $pdo->prepare( $sql );
'pole1' => $pole1, // no need for $pdo->quote( $poleX )
'pole2' => $pole2,
'pole3' => $pole3 ) );
This way you don't need to bother with the quoting and you are immune
against SQL injections.
Ce n'est pas parce qu'ils sont nombreux à avoir tort qu'ils ont raison!