a simple question I wasn't able to get a clear answer on....
It is general best practice to use prepared statements and parameters
rather than concatenated strings to build sql statements as mitigation
against SQL injection. However, in some databases I've used, there is
also a performance advantage. For example, the planner may be able to
more easily recognise a statement and reuse an existing plan rather than
re-planning the query.
I wasn't sure what the situation is with postgres - is there a
performance benefit in using prepared statements over a query string
where the values are just concatenated into the string?
thanks,
Tim
--
Tim Cross
