http://www.perlmonks.org?node_id=665899


in reply to Re: Securing DB transactions with user form input
in thread Securing DB transactions with user form input

I can't think of any reason why placeholders wouldn't be used as a matter of course.

I have seen some cases where not using placeholders gave the database extra information that would result in more efficient query execution plans.

For example if you have a table with a gender column, and only 2% of the rows have the value F, it might be helpful (in the decision whether to use a certain index or type of join) to let the database see what gender your query is about.

select * from some_table where gender = 'F';

Another example is the page size for paged data.

Of course, those are edge cases, only affect databases sophisticated enough to make those kind of decisions in the first place (and those databases usually also have means to workaround the issue while still using bind variables), and are most often not related to direct user input anyway.

In general, I absolutely agree that not using bind variables is a cardinal sin. If you are using direct interpolation into the query string, be prepared to have a very good explanation for it.