I've been using ADOdb for many years as my database abstraction and query caching layer. Lately I switched to prepared statements, mostly for security, and became curious about the way they are (or are not) implemented.
Quote from the documentation for the Prepare method: “Returns an array containing the original sql statement in the first array element; the remaining elements of the array are driver dependent. If there is an error, or we are emulating Prepare( ), we return the original $sql string.”
Testing the statement variable with:
$stmt = $db->Prepare("SELECT * FROM pages WHERE id = ?");
print_r($stmt);
On connections opened with ‘mysql’ or ‘mysqli’ parameter only the original query string is returned – meaning the prepared statement is emulated, I guess. A connection opened with ‘pdo_mysql’ returns (from print_r()):
Array (
[0] => SELECT * FROM pages WHERE id = ?
[1] => PDOStatement Object ([queryString]=>SELECT * FROM pages WHERE id = ?)
)
Can I take this as a definite proof of a real prepared statement? If not, does anybody know of a quick and dirty way to check server-side (something to look for in the query log, or maybe in MySQLProxy)? I tried to read the library source, but got lost halfway...
