postmodern-prepared-statements

Postmodern Examples Table of Contents

Prepared Statements

The general rule of thumb on deciding whether to use prepared statements, is to use them unless you have sufficient reason not to. Prepared Statements are compiled before execution therefore lending to better performance, and increased security against SQL injection as the database server takes care of the encoding of special characters.

  1. Preventing SQL injection attacks. This basically means automated sanitizing of inputs from external sources (web browser is external!) which are going to be saved to the database.
  2. Batch processing. If you have a lot of data to enter into/modify in/remove from database at once, prepared statements can be used for that. In this case, prepared statements optimize away most of the overhead of such operations and allows you to write fast database batch code.
(defprepared sovereign-of (:select 'sovereign :from 'country :where (:= 'name '$1)) :single!) (sovereign-of "The Netherlands") ;; => "Beatrix"

The bang at the end of the :single! keyword indicates throw an error if it returns more than one.

Postmodern-sec-10
Comments