On 11 August 2015 at 06:44, Mister Junk <junkmail3568540@gmail.com> wrote:
> I'm using prepared statements to prevent SQL injection, but I have done some
> reading and it seems like using Prepared statements COULD improve
> performance. I understand the concept, but I do not know how to implement
> this.
They could, they could also reduce performance.
Prepared statements store and reuse an earlier generated query plan
for a query, so that's the time you safe.
However, because the query planner can't make use of the actual query
parameter values (they are yet unknown at that point), it can only
generate a general query plan.
If your data is equally distributed for your query parameters, that
won't matter much, but if some values are far more common than others,
that can actually hurt performance.
In case of a normal statement, the query planner has enough
information to decide which plan would be more efficient. With a
prepared statement it has not.
