In web development, we do face the issue of running a query few thousands to million times everyday. If your website traffic is small then the impact of such queries is not noticed. but if your site attracts lots of users and the query requires to run a good number of time, it might hurt your database performance. every query we run goes through a rigorous cycle to produce the desire result. it goes from parsing, optimizing, executing and returning the result. once a query is written and ran correctly for the first time then the steps of parsing and optimization is not necessarily requires as it is already been parsed and optimized. for the same query it is kind of redundant efforts going on. but what if we can just execute the query and get the result and bypass few of the early steps? well it’s possible and that is where the concept of Stored Procedure and Prepared statements come from. now let’s look at the detail of it
Prepared statements are the ability to set up a statement once, and then execute it many times with different parameters. They are designed to replace building ad hoc query strings, and do so in a more secure and efficient manner. A typical prepared statement would look something like:
SELECT * FROM table WHERE column = ?
? is what is a called a placeholder. When you execute the above query, you would need to supply the value for it, which would replace the
? in the query above.
as from Harrison Fisk article on prepared statement
Prepared statements can help increase security by separating SQL logic from the data being supplied. This separation of logic and data can help prevent a very common type of vulnerability called an SQL injection attack. Normally when you are dealing with an ad hoc query, you need to be very careful when handling the data that you received from the user. This entails using functions that escape all of the necessary trouble characters, such as the single quote, double quote, and backslash characters. This is unnecessary when dealing with prepared statements. The separation of the data allows MySQL to automatically take into account these characters and they do not need to be escaped using any special function.
The increase in performance in prepared statements can come from a few different features. First is the need to only parse the query a single time. When you initially prepare the statement, MySQL will parse the statement to check the syntax and set up the query to be run. Then if you execute the query many times, it will no longer have that overhead. This pre-parsing can lead to a speed increase if you need to run the same query many times, such as when doing many
following image will illustrate the fact
A stored procedure is a precompiled executable object that contains one or more SQL statements. Hence you can replace your complex SQL statements with a single stored procedure. Since, stored procedures are precompiled objects they execute faster at the database server. For the consecutive run it will run from the compiled stage and hence boost performance.
Note: You have to choose the when to use to use what. certainly not every query should be transformed to prepared statement or stored procedures. 🙂