By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,663 Members | 2,157 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,663 IT Pros & Developers. It's quick & easy.

MYSQL, PHP and Bind variables in SQL

P: n/a
Hi All,

What is the PHP equivilent of Oracle bind variables in a SQL statement, e.g.

select x from y where z=:parameter

Which in asp/jsp would be followed by some statements to bind a value to :parameter

I dont like the idea of making the SQL statement on the fly without binding parameters as I
dont want a highly polluted SQL cache.

I'm using the v latest MySQL 4.1.0, PHP 4.3.2 and Apache.

Thanks
Jack
Jul 16 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a
On Thu, 26 Jun 2003 15:05:35 +0000 (UTC), Jack <ne***@inamillion1.com> wrote:
What is the PHP equivilent of Oracle bind variables in a SQL statement, e.g.

select x from y where z=:parameter
It looks like it's only recently been added to MySQL, in 4.1.x according to
the changelog - which is not a production version, it's still Alpha.

In the prior versions, you have to stuff the values into the SQL statement.
(Yuk - SQL injection attacks, worrying about escaping, etc.).

There are DB abstraction layers that emulate bind variables, e.g. Pear DB.

PHP's MySQL interface hasn't yet caught up with the MySQL C API that now
appears to allow '?' as a placeholder for a bind variable (so still no named
binds, but at least there's positional binds).

Looks like it's in development:
http://www.php.net/manual/en/functio...li-prepare.php
Which in asp/jsp would be followed by some statements to bind a value to :parameter

I dont like the idea of making the SQL statement on the fly without binding parameters as I
dont want a highly polluted SQL cache.

I'm using the v latest MySQL 4.1.0, PHP 4.3.2 and Apache.


MySQL doesn't have seem to have an SQL cache. In 4.x there's a 'query cache'
that caches the results of queries, by matching the entire text of a query. But
no SQL cache in the Oracle sense, as in cached execution plans.

--
Andy Hassall (an**@andyh.co.uk) icq(5747695) (http://www.andyh.co.uk)
Space: disk usage analysis tool (http://www.andyhsoftware.co.uk/space)
Jul 16 '05 #2

P: n/a
Andy Hassall <an**@andyh.co.uk> wrote in
news:sd********************************@4ax.com:
It looks like it's only recently been added to MySQL, in 4.1.x
according to
the changelog - which is not a production version, it's still Alpha.

In the prior versions, you have to stuff the values into the SQL
statement.
(Yuk - SQL injection attacks, worrying about escaping, etc.).


Yep, main reason I want binds - security :)

Thanks for response! Will look into pear.
Jul 16 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.