[CentOS] C5 MySQL injection attack ("Union Select")
Alice Wonder
alice at domblogger.net
Thu Mar 24 14:15:07 UTC 2016
On 03/24/2016 04:53 AM, Александр Кириллов wrote:
>> Be careful with WordPress - it's database handler doesn't actually use
>> parameterized statements, it emulates them with printf - one (of many)
>> reasons I do not like the product.
>
> This is a rather controversial statement. There's nothing wrong with
> using sprintf when building sql queries. Besides
>
> "Using a prepared statement is not always the most efficient way of
> executing a statement. A prepared statement executed only once causes
> more client-server round-trips than a non-prepared statement."
>
The only time database has ever been a bottleneck for me is when I am
not using something like apcu to cache query results. Use of prepared
statements is slower for single queries never repeated but not the
bottleneck in any application I've dealt with.
WordPress lack of genuine prepared statements has however caused me
issues when I would like to make a query that is used more than once
with different parameters.
More information about the CentOS
mailing list