sigmasternchen/php-doc-en
1
0
Fork 0
mirror of https://github.com/sigmasternchen/php-doc-en synced 2025-03-15 16:38:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Abstracted the prepared statement article to remove references to the second person and make references to the application or to developers.

Browse source 
git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@288441 c90b9560-bf6c-de11-be94-00142212c4b1
This commit is contained in:
Brandon Savage 2009-09-18 18:14:24 +00:00
parent 05d68e4ea4
commit 542041e8fa
1 changed files with 19 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
reference/pdo/prepared-statements.xml
View file

@ -5,9 +5,9 @@
<title>Prepared statements and stored procedures</title>
<para>
Many of the more mature databases support the concept of prepared
statements. What are they? You can think of them as a kind of compiled
template for the SQL that you want to run, that can be customized using
variable parameters. Prepared statements offer two major benefits:
statements. What are they? They can be thought of as a kind of compiled
template for the SQL that an application wants to run, that can be customized
using variable parameters. Prepared statements offer two major benefits:
</para>
<itemizedlist>
<listitem>
@ -16,28 +16,28 @@
executed multiple times with the same or different parameters. When the
query is prepared, the database will analyze, compile and optimize it's
plan for executing the query. For complex queries this process can take
up enough time that it will noticeably slow down your application if you
need to repeat the same query many times with different parameters. By
using a prepared statement you avoid repeating the
analyze/compile/optimize cycle. In short, prepared statements use fewer
up enough time that it will noticeably slow down an application if there
is a need to repeat the same query many times with different parameters. By
using a prepared statement the application avoids repeating the
analyze/compile/optimize cycle. This means that prepared statements use fewer
resources and thus run faster.
</simpara>
</listitem>
<listitem>
<simpara>
The parameters to prepared statements don't need to be quoted; the
driver handles it for you. If your application exclusively uses
prepared statements, you can be sure that no SQL injection will occur.
(However, if you're still building up other parts of the query based on
untrusted input, you're still at risk).
driver automatically handles this. If an application exclusively uses
prepared statements, the developer can be sure that no SQL injection will
occur (however, if other portions of the query are being built up with
unescaped input, SQL injection is still possible).
</simpara>
</listitem>
</itemizedlist>
<para>
Prepared statements are so useful that they are the only feature that PDO
will emulate for drivers that don't support them. This ensures that you
will be able to use the same data access paradigm regardless of the
capabilities of the database.
will emulate for drivers that don't support them. This ensures that an
application will be able to use the same data access paradigm regardless of
the capabilities of the database.
</para>
<para>
<example>
@ -118,12 +118,12 @@ if ($stmt->execute(array($_GET['name']))) {
</example>
</para>
<para>
If the database driver supports it, you may also bind parameters for
If the database driver supports it, an application may also bind parameters for
output as well as input. Output parameters are typically used to retrieve
values from stored procedures. Output parameters are slightly more complex
to use than input parameters, in that you must know how large a given
parameter might be when you bind it. If the value turns out to be larger
than the size you suggested, an error is raised.
to use than input parameters, in that a developer must know how large a given
parameter might be when they bind it. If the value turns out to be larger
than the size they suggested, an error is raised.
</para>
<para>
@ -146,7 +146,7 @@ print "procedure returned $return_value\n";
</para>
<para>
You may also specify parameters that hold values both input and output;
Developers may also specify parameters that hold values both input and output;
the syntax is similar to output parameters. In this next example, the
string 'hello' is passed into the stored procedure, and when it returns,
hello is replaced with the return value of the procedure.