[ciapug] On or Off ...

Carl Olsen carl-olsen at mchsi.com
Fri Aug 12 18:18:04 CDT 2005 

I'm just wondering about performance.  I just wrote a class for a table in
my MySQL database and I'm using mysqli for the connections and queries.
Will it increase my performance to add prepared statements?  Here's my code:

<?php

class faqs
{
	private $id;
	private $question;
	private $answer;
	private $order;
	private $conn;
	private $needsupdating = false;
	
	public function __construct($faqid)
	{
		$this->conn = mysqli_connect("host", "username", "password",
"database");
		if(!$this->conn)
		{
			throw new Exception("Unable to connect to the
server: " . mysqli_connect_error());
		}
		$sql = "SELECT faq_question, faq_answer, faq_order FROM
faq_faq WHERE faq_id = " . $faqid;
		$rs = mysqli_query($this->conn, $sql);
		if(!$rs)
		{
			throw new Exception("An error occurred selecting
from the database: " . mysqli_error($this->conn));
		}
		if(!mysqli_num_rows($rs))
		{
			throw new Exception("The specified faq does not
exist!");
		}
		$data = mysqli_fetch_array($rs);
		$this->id = $faqid;
		$this->question = $data['faq_question'];
		$this->answer = $data['faq_answer'];
		$this->order = $data['faq_order'];
		mysqli_free_result($rs);
	}
	
	public function getquestion()
	{
		return $this->question;
	}
	public function getanswer()
	{
		return $this->answer;
	}
	public function getorder()
	{
		return $this->order;
	}
	public function setquestion($question)
	{
		if(!is_string($question) || strlen($question) == 0)
		{
			throw new Exception("Invalid question value");
		}
		$this->question = $question;
		$this->needsupdating = true;
	}
	public function setanswer($answer)
	{
		if(!is_string($answer) || strlen($answer) == 0)
		{
			throw new Exception("Invalid answer value");
		}
		$this->answer = $answer;
		$this->needsupdating = true;
	}
	public function setorder($order)
	{
		if(!is_integer($order) || strlen($order) == 0)
		{
			throw new Exception("Invalid order value");
		}
		$this->order = $order;
		$this->needsupdating = true;
	}
	
	public function __destruct()
	{
		if(!$this->needsupdating)
		{
			return;
		}
		$sql = "UPDATE faq_faq SET ";
		$sql .= "faq_question = '" .
mysqli_real_escape_string($this->conn, $this->question) . "', ";
		$sql .= "faq_answer = '" .
mysqli_real_escape_string($this->conn, $this->answer) . "', ";
		$sql .= "faq_order = '" .
mysqli_real_escape_string($this->conn, $this->order) . "' ";
		$sql .= "WHERE faq_id = " . $this->id;
		$rs = mysqli_query($this->conn, $sql);
		if(!$rs)
		{
			throw new Exception("An error occurred updating the
database: " . mysqli_error($this->conn));
		}
		mysqli_free_result($rs);
		mysqli_close($this->conn);
	}
}

?>

-----Original Message-----
From: Tony Bibbs [mailto:tony at tonybibbs.com] 
Sent: Friday, August 12, 2005 2:05 PM
To: carl-olsen at mchsi.com; ciapug at cialug.org
Subject: Re: [ciapug] On or Off ...

Are you talking about cleaning it as far as escaping arguments to your 
prepared statements?  If so, 4.1.x should be doing it on the server for 
you.  Older ones would have to be done by your database abstraction layer.

I think it's safe to black-box that much of it.  As long as you are 
using prepared statements you are safe(r).

--Tony

More information about the ciapug mailing list