<p>A lot of articles are explaining that using prepared statements is the best way to escape data sent to the MySQL or any other database, but what all fail to mention, that it costs a lot of performance to actually do it.</p>
<p>Prepared statements work on the server side of DB and when called - prepare the memory and find the tables it will need to work with, which is a very nice feature, if you work with constant permanent connections where you can reuse those statements multiple times. But PHP works per-request basis which means it costs more to prepare the statements every single time.</p>
<p>From my experience the savings on applications with high query count performance hit can be from 50% to 400%.</p>
<p>Alternatives to MySQL prepared statements is to use PDO library with "fake" statement preparation, which still lets you bind parameters with proper escaping (very recommended) or write a simple script to ecape them yourself (not recommended)</p>
Get New Tutorials Delivered to Your Inbox
New tutorials will be sent to your Inbox once a week.