is there any reason to use one over the other in terms of speed and safety? Thanks!
+2
A:
Speed:
- When you use bind parameters you can reuse the same query and query plan, just changing the parameters. When you build a query from strings the database has to reparse the statement.
- With bind parameters the SQL parser also has less work to do. The parameters aren't escaped so the parsing is simpler.
Safety:
- In my opinion, it is much easier to remember to use parameters than to remember to escape strings.
Mark Byers
2010-07-29 02:03:25
Very much agree with the safety point. It's so easy to miss out on escaping a string, especially when there's values that one would expect not to escape like numerical values. It's much safer and easier to use prepared statements, and you never have to worry about forgetting anything. Plus, it's so much easier to read a query in code when it isn't interspersed with a bunch of concatenation operators.
Kibbee
2010-07-29 02:08:28