Hello,
I would like to know why MediaWiki is encoding SQL
parameters
instead of
using prepared statements with placeholders.
Multiple reasons. We're using our magic Database class which
sometimes does quite some query abstraction.
I just know advantages on using prepared statements,
like security
from
possible SQL injections, speed by having SQL statements preparsed and
the code is easier to write and read.
We eliminate possible SQL injections by using Database methods.
Even then, there're various dynamic bits in our queries, like numbers
of arguments (especially when IN() construct is used), dynamic
LIMITs, etc.
Also, 'preparsed' doesn't really work, as we have short-living
connections, and no statements are repeated, which makes two
roundtrips instead of one, if prepared statements are used.
Now, if Database methods are used properly, code is quite easy to
read and write.
For other users PSes until lately would not use MySQL's Query Cache.
Prepared statements using MySQL directly:
http://devzone.zend.com/node/view/id/686
Ooh, thanks for letting us know! :)
Could you guys explain why not using prepared
statements in
MediaWiki code?
No benefit in actually using them for us, even more cost.
--
Domas Mituzas --
http://dammit.lt/ -- [[user:midom]]