[ciapug] On or Off ...
Tony Bibbs
tony at tonybibbs.com
Mon Aug 22 09:15:24 CDT 2005
Sorry for the delay, I was on vacation.
Well, given you have already written both a raw SQL and prepared
statement version, I would simply use a timer to see how they do. I've
attached a simple timer class for you to use (not that you'd really need
it).
My guess is the prepared statements, if not supported by your DBMS, will
take a little longer but the security blanket it gives will probably
offset any performance concerns.
--Tony
Carl Olsen wrote:
> I'm just wondering about performance. I just wrote a class for a table in
> my MySQL database and I'm using mysqli for the connections and queries.
> Will it increase my performance to add prepared statements? Here's my code:
>
> <?php
>
> class faqs
> {
> private $id;
> private $question;
> private $answer;
> private $order;
> private $conn;
> private $needsupdating = false;
>
> public function __construct($faqid)
> {
> $this->conn = mysqli_connect("host", "username", "password",
> "database");
> if(!$this->conn)
> {
> throw new Exception("Unable to connect to the
> server: " . mysqli_connect_error());
> }
> $sql = "SELECT faq_question, faq_answer, faq_order FROM
> faq_faq WHERE faq_id = " . $faqid;
> $rs = mysqli_query($this->conn, $sql);
> if(!$rs)
> {
> throw new Exception("An error occurred selecting
> from the database: " . mysqli_error($this->conn));
> }
> if(!mysqli_num_rows($rs))
> {
> throw new Exception("The specified faq does not
> exist!");
> }
> $data = mysqli_fetch_array($rs);
> $this->id = $faqid;
> $this->question = $data['faq_question'];
> $this->answer = $data['faq_answer'];
> $this->order = $data['faq_order'];
> mysqli_free_result($rs);
> }
>
> public function getquestion()
> {
> return $this->question;
> }
> public function getanswer()
> {
> return $this->answer;
> }
> public function getorder()
> {
> return $this->order;
> }
> public function setquestion($question)
> {
> if(!is_string($question) || strlen($question) == 0)
> {
> throw new Exception("Invalid question value");
> }
> $this->question = $question;
> $this->needsupdating = true;
> }
> public function setanswer($answer)
> {
> if(!is_string($answer) || strlen($answer) == 0)
> {
> throw new Exception("Invalid answer value");
> }
> $this->answer = $answer;
> $this->needsupdating = true;
> }
> public function setorder($order)
> {
> if(!is_integer($order) || strlen($order) == 0)
> {
> throw new Exception("Invalid order value");
> }
> $this->order = $order;
> $this->needsupdating = true;
> }
>
> public function __destruct()
> {
> if(!$this->needsupdating)
> {
> return;
> }
> $sql = "UPDATE faq_faq SET ";
> $sql .= "faq_question = '" .
> mysqli_real_escape_string($this->conn, $this->question) . "', ";
> $sql .= "faq_answer = '" .
> mysqli_real_escape_string($this->conn, $this->answer) . "', ";
> $sql .= "faq_order = '" .
> mysqli_real_escape_string($this->conn, $this->order) . "' ";
> $sql .= "WHERE faq_id = " . $this->id;
> $rs = mysqli_query($this->conn, $sql);
> if(!$rs)
> {
> throw new Exception("An error occurred updating the
> database: " . mysqli_error($this->conn));
> }
> mysqli_free_result($rs);
> mysqli_close($this->conn);
> }
> }
>
> ?>
>
> -----Original Message-----
> From: Tony Bibbs [mailto:tony at tonybibbs.com]
> Sent: Friday, August 12, 2005 2:05 PM
> To: carl-olsen at mchsi.com; ciapug at cialug.org
> Subject: Re: [ciapug] On or Off ...
>
> Are you talking about cleaning it as far as escaping arguments to your
> prepared statements? If so, 4.1.x should be doing it on the server for
> you. Older ones would have to be done by your database abstraction layer.
>
> I think it's safe to black-box that much of it. As long as you are
> using prepared statements you are safe(r).
>
> --Tony
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/ciapug/attachments/20050822/115872e1/Timer-0001.htm
More information about the ciapug
mailing list