Re: Use Placeholders. For SECURITY and (sometimes) for PERFORMANCE

Don't forget about prepare_cached(). This can really help under mod_perl.

This code will do little more than suck up more memory:

for my $val(@values) {
    $val = $dbh->quote($val);
    my $sth = $dbh->prepare_cached(
       "UPDATE foo SET bar=7 WHERE baz=$val"
    );
    $sth->execute();
}
[download]

This code takes up a little more memory, but also avoids having to re-prepare what is really the same statement with different input:

for my $val(@values) {
    my $sth = $dbh->prepare_cached(
       "UPDATE foo SET bar=7 WHERE baz=?"
    );
    $sth->execute($val);
}
[download]

----
I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident.
-- Schemer

: () { :|:& };:

Note: All code is untested, unless otherwise stated

Comment on Re: Use Placeholders. For SECURITY and (sometimes) for PERFORMANCE Select or Download Code

Replies are listed 'Best First'.
Re: Re: Use Placeholders. For SECURITY and (sometimes) for PERFORMANCE by mpeppler (Vicar) on Nov 14, 2003 at 22:38 UTC
Errm... if I may - that's not a very good example of using `prepare_cached()`: just moving the prepare() out from the for loop and using placeholders would have worked fine (and yes, I'm fairly sure that you know this - just pointing this out for others reading this thread). `prepare_cached()` is really for the situation where you are likely to call a particular query more than once, possibly from different parts of your program, but not sequentially. In that situation DBI and the RDBMS will keep a copy of the query (and its query plan) on hand and re-use it when it is requested. You should keep in mind when using it that `prepare_cached()` will consume resources on the database server, because it will keep all of the queries that each client requests on hand/in cache until the clients disconnect. In some cases these query plans can be shared between clients (i.e. two different clients executing the same query), but not always (in particular I don't think that Sybase and/or MS-SQL will share query plans for prepared queries that use placeholders). These are all items that need to be kept in mind - as with most things that pertain to database tuning/optimization the advisability of using a particular solution "depends" on the local circumstances. Michael	[reply] [d/l] [select]
Re: Re: Re: Use Placeholders. For SECURITY and (sometimes) for PERFORMANCE by hardburn (Abbot) on Nov 17, 2003 at 14:34 UTC
that's not a very good example of using prepare_cached(): . . . That's why I mentioned mod_perl, which, when combined with Apache::DBI, will allow you to keep `prepare_cached()` statements around until Apache is shut down. ---- I wanted to explore how Perl's closures can be manipulated, and ended up creating an object system by accident. -- Schemer `: () { :\|:& };:` Note: All code is untested, unless otherwise stated	[reply] [d/l] [select]