If your language/database of choice has a built-in function to escape user-input, (for开发者_如何学Python instance, mysql_real_escape_string) what are the arguments for SQL parameterization? Is it possible that mysql_real_escape_string might, at some point, leave an application vulnerable?
I use parameterization because I've been told / have read it's the better way to go, but I don't just want to follow blindly. Any insight? Thanks!
Arguments for parameterization is performance.
If you are going to execute the following sentence several times:
insert into table (col1, col2) values (?, ?);
It's better to use parameters since the query is going to be evaluated only (parsed, plan analysis and computation) once, and will be executed many times.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论