Hi,
When doing mysql query (SELECT statements) in php, we often use prepare
statement to prevent SQL injection. However, I just noticed that the
prepare statements can SLOW the number of queries per second by a
factor of 2 times (max).
So are there any faster method that can prevent SQL injection, but has
a better performance?
Thanks. 3 2863
If it is MySQL < 4.1, then you are using emulated prepared statements,
which may be causing the slowdown. It wouldn't surprise me if PEAR was
doing some funny regex's to parse the queries, escape the values, etc.
If you're using a database abstraction library, maybe try switching the
abstraction library (See PDO and Adodb, among others), it might speed
things up.
It should also be noted that using prepare/execute requires 2 trips to
the server
( http://dev.mysql.com/tech-resources/...atements.html),
since it has to send it to be parsed, then send it to be executed.
This would account for the exact factor of 2. ho******@gmail. com wrote: Hi,
When doing mysql query (SELECT statements) in php, we often use prepare statement to prevent SQL injection. However, I just noticed that the prepare statements can SLOW the number of queries per second by a factor of 2 times (max).
So are there any faster method that can prevent SQL injection, but has a better performance?
Thanks.
Richard Levasseur 寫道: If it is MySQL < 4.1, then you are using emulated prepared statements, which may be causing the slowdown. It wouldn't surprise me if PEAR was doing some funny regex's to parse the queries, escape the values, etc.
If you're using a database abstraction library, maybe try switching the abstraction library (See PDO and Adodb, among others), it might speed things up.
It should also be noted that using prepare/execute requires 2 trips to the server (http://dev.mysql.com/tech-resources/...atements.html), since it has to send it to be parsed, then send it to be executed. This would account for the exact factor of 2. ho******@gmail. com wrote: Hi,
When doing mysql query (SELECT statements) in php, we often use prepare statement to prevent SQL injection. However, I just noticed that the prepare statements can SLOW the number of queries per second by a factor of 2 times (max).
So are there any faster method that can prevent SQL injection, but has a better performance?
Thanks.
Thanks...
So is that means in order to prevent SQL injection, we must need this
kind of overhead? ho******@gmail. com wrote: Richard Levasseur 寫道:
If it is MySQL < 4.1, then you are using emulated prepared statements, which may be causing the slowdown. It wouldn't surprise me if PEAR was doing some funny regex's to parse the queries, escape the values, etc.
If you're using a database abstraction library, maybe try switching the abstraction library (See PDO and Adodb, among others), it might speed things up.
It should also be noted that using prepare/execute requires 2 trips to the server (http://dev.mysql.com/tech-resources/...atements.html), since it has to send it to be parsed, then send it to be executed. This would account for the exact factor of 2. ho******@gmail. com wrote: Hi,
When doing mysql query (SELECT statements) in php, we often use prepare statement to prevent SQL injection. However, I just noticed that the prepare statements can SLOW the number of queries per second by a factor of 2 times (max).
So are there any faster method that can prevent SQL injection, but has a better performance?
Thanks.
Thanks...
So is that means in order to prevent SQL injection, we must need this kind of overhead?
You could manually escape the values before you query, its just a lot
more work to $databaseHandle->escape($valu e) for every user submitted
value. This would most likely solve the performance problem. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Mike Chirico |
last post by:
Interesting Things to Know about MySQL
Mike Chirico (mchirico@users.sourceforge.net)
Copyright (GPU Free Documentation License) 2004
Last Updated: Mon Jun 7 10:37:28 EDT 2004
The latest version of this document can be found at:
http://prdownloads.sourceforge.net/souptonuts/README_mysql.txt?download
|
by: serge calderara |
last post by:
Dear all,
I have read on article that the same SQL querry is call many time, for
perfomramce reaon it is needed to call the SQLCommand.Prepare method before
executing.
What does that prepare really do ? Is it caching somehow the whole select
statement ?
thanks for your reply
|
by: Mairhtin O'Feannag |
last post by:
Hello,
I have a client (customer) who asked the question : "Why would I buy and
use UDB, when MySql is free?"
I had to say I was stunned. I have no experience with MySql, so I was
left sort of stammering and sputtering, and managed to pull out something
I heard a couple of years back - that there was no real transaction
safety in MySql. In flight transactions could be lost.
|
by: # Cyrille37 # |
last post by:
Hello all,
I come to you to getting help for managing multi threading and database connection.
My project use Xml-Rpc to receive messages, so each call come from a different
thread.
Incoming calls are executing SQL on a MysqlConnection.
MysqlConnection does not like when concurents calls appends.
For a fast and dirty solution, I've put a Monitor() at messages arrived.
|
by: Ted |
last post by:
Understand, I have developed a number of applications using RDBMS,
including MySQL, PostgreSQL and MS Access, but this is my first
experience with MS SQL. I'd bet my bottom dollar that MS SQL supports
what I need, but I just haven't found where it is explained in any
detail in the documentation I have. The pages I have found strike me
as a little too terse for my needs.
In MySQL, I used statements like:
PRIMARY KEY (`ic_contact_id`),...
| |
by: william.david.anderson |
last post by:
Hi there,
I'm thinking of using a PREPARE statement inside a stored
procedure, but
am wondering about the performance penalty associated with calling
PREPARE
multiple times. Below is an example of the kind of statements I
was thinking
of using.
|
by: Akino877 |
last post by:
Hello,
I have a small Perl program :
#!/usr/bin/perl -w
use DBI;
use Mysql;
$host = "";
$database = "";
$user = "root";
|
by: fungazid |
last post by:
Help help help please
Im using DBD::mysql, and I want to insert a record into clients table (id, address, and phone-number of a client):
my $str= ?,?,?,,,;
my @args1=('Zalman','Zalmanovich',12121,'New York');
$q=$dbh->prepare("INSERT INTO $table VALUES($str)")
|
by: Gordon |
last post by:
With the move over to PHP 5.x I' mnow writing a lot of code that makes
use of prepared statements as the PHP manual has nothing but good
things to say about them. They have less overhead for the database,
they eliminate the possibility of SQL injection attacks, they are made
of sunshine and fluffy kittens, etc.
Then I got to thinking, in my methods I am preparing a statement and
then running it one to n times, depending on the method and...
|
by: ssnaik84 |
last post by:
Hi Guys,
Last year I got a chance to work with R&D team, which was working on DB scripts conversion..
Though there is migration tool available, it converts only tables and constraints..
Rest of things (stored procedures, functions).. we have to manually edit.
That time, we face some interesting challenges.. I failed to document all of them, but whatever I can share with u.. I will try.. :)
...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, well explore What is ONU, What Is Router, ONU & Routers main usage, and What is the difference between ONU and Router. Lets take a closer look !
Part I. Meaning of...
| |
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |