On Fri, Apr 20, 2012 at 5:33 AM, Raymond O'Donnell <rod(at)iol(dot)ie> wrote:
> Yep - no need to worry about quoting if you use parameters - it's all
> done for you. It's also MUCH safer, as it makes SQL injection attacks
> much harder (if not impossible).
And in some cases, it can even be more bandwidth-efficient. I don't
know if PDO can take advantage of this, but with the
PostgreSQL-specific functions (pg_query_params etc), an alternative
protocol method is used that sends the query and its parameters
separately, to great efficiency.
ChrisA