Currently, I only use stored procedures, is this considered good practice or bad? I find it helpful to separate my SQL code from my PHP code, and I also remember hearing in a PHP course I took a few semesters back that stored procedures are more secure.
Add a comment
|
1 Answer
In the past, stored procedures and prepared statements were always faster than dynamic SQL strings sent to a database. These days, although that might still be the case sometimes, the differences are minor, if not negligible, so the major benefits of a stored procedure are safety from SQL injection attacks, and also as a layer of abstraction between the application code and the database (allowing you to use the same queries easily across different DB APIs or even different languages). So in general I'd still prefer stored procedures where possible.
2 Comments
OMG Ponies
Sending parameters to a stored procedure is less data over the wire than the entire SQL statement, making using stored procedures faster. Stored procedures can also contain multiple statements, which would mean trips back & forth from the application to the database - again, stored procedures have the edge because time over the wire and processing in app before passing back is overhead you can't recoup.
Cody.Stewart
Awesome, I currently have a function that allows me to build a CALL statement for stored procedures. The function takes in the name of a procedure as well as an array filled with the data being processed and then it does the magic. It's very simple and helpful, I'm glad I don't have to get rid of it!