t3lib_DB does not execute prepared queries, even when the prepared functions are used. All queries are transformed to "normal" MySQL queries. Only DBAL takes advantage of using them ATM.
This should be fixed for 4.6 I think.
[FEATURE] Execute native prepared queries
As TYPO3 is now using mysqli, prepared queries are natively supported
and should be used.
DBAL, however, does not yet actually use native prepared queries but
falls back to standard queries by replacing placeholders and executing
the underlying SQL query.
Reviewed-by: Andreas Fernandez
Tested-by: Andreas Fernandez
Tested-by: Wouter Wolters
Reviewed-by: Markus Klein
Reviewed-by: Stefan Neufeind
Reviewed-by: Jigal van Hemert
Tested-by: Jigal van Hemert
#5 Updated by Markus Klein over 6 years ago
- Target version deleted (
- Complexity set to hard
I took a closer look here.
To sum it up: quite hard
- Our DB API supports named parameters (:placeholder), but MySQL does not.
- The patch from Benni does not take DBAL into account at all. So this is a no go.
- The mysqli_stmt::get_result() (buffered result) method is only available with mysqlnd driver according to php docs.
We'd need to:
- Get DBAL straight for 6.2 (#50752)
- Implement a translation layer from named to positioned parameters, which would involve some sort of query parsing again.
- Make the PreparedStatement class independent of any database link, as the exact link used is different for every driver used in DBAL.
- Emulate a buffered result, if mysqlnd is not available, to make the PreparedStatement::seek() function work
So IMHO this is a topic for 6.3+