NYCPHP Meetup

[Rob Marscher]

On Nov 8, 2007, at 9:58 AM, Anthony Wlodarski wrote:
> I usually created my SQL queries using sprint() and  
> mysql_real_escape_string() but this morning through an associate I  
> was informed of this thing called PDO shipping with PHP 5.1 and  
> higher.  I did a little research on what it does and was thrilled  
> about the potential uses for it.  My question is though what are its  
> potential uses?  I had a chance to preview bindParam for prepared  
> statements and was like this is awesome!  Also does PDO help escape  
> strings or is something like mysql_real_escape_string() always a  
> necessity?

I believe PDO bindParam works the same as prepared statements in  
mysqli.  So mysql_real_escape_string isn't necessary.  It's done  
internally.  The advantage of PDO over mysqli is that it's portable to  
other databases.  You do get a little overhead vs. working with mysqli  
directly.  But you know your code is portable.  Was anyone else  
completely annoyed by the way most of the params were switched between  
mysql and mysqli where the db link was required and put as the first  
param in most functions?

Some notes about why to use emulated instead of native prepared  
statements by Wez Furlong (Digg developer):
http://netevil.org/blog/2006/apr/using-pdo-mysql

PDO is faster than most libraries that provide database abstraction  
(like the PEAR libraries).  ADOdb is comparable if you make use of  
ADOdb's c extension.
http://joseph.randomnetworks.com/archives/2006/04/04/php-database-functions-vs-peardb-vs-adodb

MySQL supposed to be developing a native php driver (instead of using  
c to interface with libmysql) for mysqli and eventually PDO which  
should be awesome:
http://blogs.mysql.com/kaj/?p=71


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20071108/976d374e/attachment.html>