Re: Prepared statements considered harmful

Lukas Kahwe Smith wrote:
> Martijn van Oosterhout wrote:
>> On Thu, Aug 31, 2006 at 11:27:18AM -0400, Tom Lane wrote:
>>>> I'd wish that we reconsider when and how prepared statements are
>>>> used. The JDBC interface and PL/pgSQL are frequently noticed
>>>> perpetrators, but the problem is really all over the place.
>>> AFAIK those are the only two places where preparation is the default
>>> ... what else were you thinking of?
>>
>> Perl DBI (DBD::Pg) defaults to prepared plans when connecting to a
>> version 8.0 or higher server.
>>
>> Or at least, that's the way I read the documentation.
>
> AFAIK this is also the case for PHP PDO extension, which is bundled
> since PHP 5.1.

BTW: PDO has gotten a switch to force client side placeholder
replacement in favor of using server side prepared statements due to the
fact that prepared statements side-step the MySQL query cache.

http://netevil.org/node.php?uuid=444a6017-0548-2459-2943-44a601714d58
BTW: I am not posting this to solicit MySQL bashing.

The main reason why PDO pushes prepared statements is the fact that they
offer good protection against SQL injection. However obviously in shared
nothing architectures like PHP, which does not yet have any sort of
connection/statement-pooling solution, the danger of prepared statements
becoming stale over time is small. However the problem of running the
same statements with two different parameters that require different
plans is still quite real.

regards,
Lukas