Databases for REAL
SQL Prepared Statements
Exploring a sweet new feature
Issue: 9.2 (January/February 2011)
Article Description: No description available.
Article Length (in bytes): 3,360
Starting Page Number: 78
RBD Number: 9212
Resource File(s): None
Related Link(s): None
Known Limitations: None
Excerpt of article text...
REAL Studio 2010 Release 4.1 added a great new feature: SQL Prepared Statements (also known as parameter binding). With this new feature you no longer have to create your entire SQL statement using string concatenation! This has two major benefits: Performance and Security.
Before an SQL statement can be run, the DB engine has to parse it. Depending on the complexity of the statement, this could add a noticeable performance hit, particularly if the SQL is used repeatedly.
But when you use the prepared statement feature, your SQL is parsed just once by the database engine. The results of the parsed statement are saved so that subsequent SELECTs can be run immediately without any parsing.
Have you ever heard of SQL Injection Attacks? Although not really a concern with desktop applications, SQL Injections are a serious concern with web applications. And now that REAL Studio Web Edition is available, this is something we all need to understand.
Let's say your login page checks for a valid user in this (rather simplistic) manner:
...End of Excerpt. Please purchase the magazine to read the full article.
Article copyrighted by REALbasic Developer magazine. All rights reserved.