Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask

Re^2: Securing DB transactions with user form input

by Thilosophy (Curate)
on Feb 04, 2008 at 04:17 UTC ( #665899=note: print w/replies, xml ) Need Help??

in reply to Re: Securing DB transactions with user form input
in thread Securing DB transactions with user form input

I can't think of any reason why placeholders wouldn't be used as a matter of course.

I have seen some cases where not using placeholders gave the database extra information that would result in more efficient query execution plans.

For example if you have a table with a gender column, and only 2% of the rows have the value F, it might be helpful (in the decision whether to use a certain index or type of join) to let the database see what gender your query is about.

select * from some_table where gender = 'F';

Another example is the page size for paged data.

Of course, those are edge cases, only affect databases sophisticated enough to make those kind of decisions in the first place (and those databases usually also have means to workaround the issue while still using bind variables), and are most often not related to direct user input anyway.

In general, I absolutely agree that not using bind variables is a cardinal sin. If you are using direct interpolation into the query string, be prepared to have a very good explanation for it.

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://665899]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (5)
As of 2022-05-18 14:32 GMT
Find Nodes?
    Voting Booth?
    Do you prefer to work remotely?

    Results (71 votes). Check out past polls.