Does it make sense to use stmt-query for data that in no way relate to GET POST requests? That is, the user will never write to the ID column, and there will never be a user select to this data.

For example, you need to read ALL "ids" (auto-increment) from TB and load them into an array for the subsequent selection of a random array element.

I think that here you can do without stmt.

  • queries with attached variables can be executed faster than with values ​​substituted into the text itself. because when substituting into the database text each time recompiles the query, and when the query text does not change the character of the database, the database can use the execution plan from the cache. On some databases, the execution of a set of queries with different values ​​directly in the text leads to an overflow of the SQL cache and severe degradation of system performance. If you ask about that of course (it is absolutely not clear what a stmt query is). And by the way, a random entry can be obtained directly by a SQL query from the database - Mike
  • mysqli_prepare, mysqli_stmt_bind_param mysqli_stmt_execute ($ rawdata) mysqli_stmt_bind_result ($ rawdata, $ capid); mysqli_stmt_fetch ($ rawdata) ... - root_x Povierennyy
  • "random write can be obtained directly by SQL-query from the database" - did not quite understand. "On some databases, the execution of multiple queries with different values ​​directly in the text leads to an overflow of the SQL cache and severe performance degradation" - did you want to write "in text format"? Unscripted requests are dealt with each time and then they are executed, and by doing so they reduce performance. (?) Actually, I asked for security. But you wrote that "you can get a random entry" - I have not yet understood this. - root_x Povierennyy
  • And bind_result there for you why? prepare -> bind -> execute -> fetch. Or if you use PDO instead of mysqli, then even simpler is prepare-> execute (with parameters) -> fetch. They do not just understand, every query that has ever been executed can also be saved in system tables, which leads to the growth of SQL cache tables. In terms of security, there is no difference. Especially if the data is purely digital. But bind parameters are invented far from safety. safety is a side effect :) - Mike
  • In general, it is necessary to work with SQL so that only those records that are really needed are to be pulled from the database. To drag an array of ALL IDs onto a client for the sake of obtaining several random elements is unwise. There are plenty of other ways: stackoverflow.com/questions/21904/… - Mike

0