[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Chicken-users] sql.egg: incompatible change
From: |
Graham Fawcett |
Subject: |
Re: [Chicken-users] sql.egg: incompatible change |
Date: |
Sun, 19 Aug 2007 19:17:02 -0400 |
On 8/19/07, Matthew Welland <address@hidden> wrote:
> By the by I suspect that option 2. doesn't protect against SQL injection
> threats to the same degree that option 1. does. Also, I believe that there
> are optimizations that can be done with postional arguments for when a
> query is called multiple times with different arguments. Can the sql egg
> approach ever take advantage of those type of optimizations?
You're thinking of "prepared statements". Pass a query with positional
arguments in it to your database engine; it parses and prepares an
execution plan, returning a statement "handle". You can then reuse the
prepared statement any number of times, without the parsing/planning
overhead. It's effective protection against SQL injection, for the
same reasons.
That being said, it is outside the scope of the sql egg. A common DBI
would be an appropriate place for a prepared-statement interface, but
the actual preparation is done by the RDBMS.
Graham