Hello,
I would like to know why MediaWiki is encoding SQL parameters instead of using prepared statements with placeholders.
Multiple reasons. We're using our magic Database class which sometimes does quite some query abstraction.
I just know advantages on using prepared statements, like security from possible SQL injections, speed by having SQL statements preparsed and the code is easier to write and read.
We eliminate possible SQL injections by using Database methods. Even then, there're various dynamic bits in our queries, like numbers of arguments (especially when IN() construct is used), dynamic LIMITs, etc. Also, 'preparsed' doesn't really work, as we have short-living connections, and no statements are repeated, which makes two roundtrips instead of one, if prepared statements are used. Now, if Database methods are used properly, code is quite easy to read and write.
For other users PSes until lately would not use MySQL's Query Cache.
Prepared statements using MySQL directly: http://devzone.zend.com/node/view/id/686
Ooh, thanks for letting us know! :)
Could you guys explain why not using prepared statements in MediaWiki code?
No benefit in actually using them for us, even more cost.