| Author |
Message |
Misha
Worker
Joined: Jul 30, 2006
Posts: 205
Location: McLean, VA
|
 Posted:
Fri Oct 06, 2006 8:08 pm |
|
| montego wrote: | | Misha, it is not an "implementation question" really, but a string definition question. Everywhere that you are building a string, it is much faster to concatenate rather than parse. |
Yep, I got this already, thanks. My last silly question was about sql injection danger and where I should try to prevent it, and where it does not make any sense...
On your benchmarks:
I tried hard to compare code for second and third cases, and did not find any difference. Difference in times is dramatic, though. What I am missing?
Thanks. |
_________________
http://www.funandsafedriving.com/defensive-driving.html |
|
 
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 9457
Location: Arizona
|
| Posted:
Fri Oct 06, 2006 10:10 pm |
|
My bad. Sorry about that Misha. Let me dissect the actual SQL string here rather than with PHP code:
SELECT * from nuke_something WHERE field1 = 'somevalue';
This is what the actual SQL needs to end up looking like in the string that is passed to mySQL. So, yes, in order to help prevent SQL injection (notice that I said "help", not "cure"), you should place single quotes around the value. Now, if you are absolutely certain that a variable is an integer (and I mean absolutely certain because YOU made certain), you do not have to use the quotes.
So, I was writing the string definition in both the most efficient manner as well as ensuring that the single quotes were going to be around the value.
Hope that helps.
djmaze, I know, I cannot believe how many of these I cleaned up already in the upcoming RN 2.10 release (still have much more to go). How about this one:
$variable = "" . _STRINGCONSTANT . "";
Oh my.... |
_________________
Where Do YOU Stand?
HTML Newsletter::ShortLinks::Mailer::Downloads and more... |
|
|
|
|
Gremmie
Former Moderator in Good Standing
Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA
|
| Posted:
Fri Oct 06, 2006 10:10 pm |
|
| montego wrote: |
BTW, someone mentioned HEREDOC syntax previously. It is going to be much slower as well due to the parsing that PHP must do for variable substitution. However, everything is life is about trade-offs... in some cases, you may not care about a few miliseconds or even a second (such as an admin screen), while in other cases you might prefer easier coding and readbility. |
Agreed. |
| |
|
|
|
|
montego
|
| Posted:
Fri Oct 06, 2006 10:12 pm |
|
Misha, by the way, the semi-colon on the end of my SELECT is a carry-over from my Oracle. I do not believe that is necessary with mySQL. I have not even looked in the db directory files to see if the Oracle sql layer is automatically suffixing the SQL string coming in, but who really cares about Oracle with nuke anyways! 
Regardless, don't worry too much with what I just said.  |
| |
|
|
|
|
Misha
|
| Posted:
Fri Oct 06, 2006 10:35 pm |
|
Thanks, Montego! You are educating me little by little  |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
