SQL Parameterization vs. Escaping
https://stackoverflow.com/questions/4412523
-
08-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
If your language/database of choice has a built-in function to escape user-input, (for instance, mysql_real_escape_string) what are the arguments for SQL parameterization? Is it possible that mysql_real_escape_string might, at some point, leave an application vulnerable?
I use parameterization because I've been told / have read it's the better way to go, but I don't just want to follow blindly. Any insight? Thanks!
Solution
Arguments for parameterization is performance.
If you are going to execute the following sentence several times:
insert into table (col1, col2) values (?, ?);
It's better to use parameters since the query is going to be evaluated only (parsed, plan analysis and computation) once, and will be executed many times.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
