Thread: Prepared queries vs Non-prepared

Hi!
I am testing the PHP PDO library versus the old style PHP postgres
functions.

I noted that PDO library declare and prepare every statement. I mean:

$s = $db->query("select * from test where field=1");

is equivalent to

$s = $db->prepare("select * from test where field=?");
$s->execute(array('1'));

I logged the queries sent to the database and i saw that they are the
same (apart obviously the parameter):

PREPARE pdo_pgsql_stmt_b7a71234 AS select * from test where field=1
<BIND>
EXECUTE <unnamed>  [PREPARE:  select * from test where field=1]

PREPARE pdo_pgsql_stmt_b7a713b0 AS select * from test where field=$1
<BIND>
EXECUTE <unnamed>  [PREPARE:  select * from test where field=$1]


Speaking about postgresql performance...
would not it be more efficient executing directly the query in the first
case ($db->query) than
preparing a statement without parameters and then executing it?

Thank you in advance,
Denis

Denis Gasparin wrote:
> Hi!
> I am testing the PHP PDO library versus the old style PHP postgres
> functions.
>
> I noted that PDO library declare and prepare every statement. I mean:
>
> $s = $db->query("select * from test where field=1");
>
> is equivalent to
>
> $s = $db->prepare("select * from test where field=?");
> $s->execute(array('1'));

> Speaking about postgresql performance...
> would not it be more efficient executing directly the query in the first
> case ($db->query) than
> preparing a statement without parameters and then executing it?

It almost certainly is faster, at least for very short queries that you
only run once. Hopefully if I run the same query twice in a row, the PDO
library doesn't prepare it twice.

However, the separate prepare/execute is a little safer since it's
harder for a user-supplied parameter to have the wrong type or do sql
injection.

--
   Richard Huxton
   Archonet Ltd