Greg Stark <gsstark@mit.edu> writes:
> Doug McNaught <doug@mcnaught.org> writes:
>
> > $stmt = $dbh->prepare("select * from mytable where first_name = ?");
> > $ret_val = $sth->execute("Fred"); # might come from a web form instead
> > @row = $sth->fetchrow_array();
> >
> > The database driver is responsible for turning the '?' in the query
> > into a properly-quoted and escaped value, or otherwise supplying it to
> > the database. The '?' is a placeholder.
>
> Except that that's not what the driver does, at least not for databases that
> are capable of doing better. It sends the placeholders to the database as they
> are. (Or in a different syntax like :1 :2 :3 for Oracle for example.)
Right, but currently for PG (this being a PG list :) it just does the
quoting/escaping and builds the query itself. It's still safer than
doing it by hand, as long as the database driver is trustworthy and
knows the databases escaping conventions.
I think there has been discussion about extending the protocol to
allow Oracle-style prepared statement execution, but right now it
isn't supported. Prepared queries only went in in 7.3, after all...
-Doug
