PHP:mysql v mysqli v pdo [英] PHP: mysql v mysqli v pdo

问题描述

我一直在阅读有关使用mysqli和pdo在php中使用mysql的一些问题.

I've been reading some questions regarding using mysqli versus pdo to use mysql in php.

我看到了诸如 mysqli或PDO之类的问题-优点和缺点是什么?或 mysql还是mysqli或pdo?，它们都专门处理mysqli v pdo.我对这两种方法中哪种更好一点不感兴趣.

I've seen questions such as mysqli or PDO - what are the pros and cons? or Moving from mysql to mysqli or pdo?, which both deal with mysqli v pdo exclusively. I'm not as much interested as to which of these two methods are better.

我想知道为什么应该避免mysql_函数.当然，它们正在根据PHP文档 PHP PDO和MySQLi 表明PDO和MySQLi更加强大，并且线程

I was wondering why mysql_ functions should be avoided. Of course, they're in the process of being deprecated per PHP's documentation http://php.net/manual/en/faq.databases.php#faq.databases.mysql.deprecated, the thread PHP PDO and MySQLi suggests PDO and MySQLi are more poweful, and the thread What is the difference between MySQL, MySQLi and PDO? implies that these newer methods are more secure.

总的来说，我想知道mysql_方法的主要弱点是什么，以及避免它的原因是什么(我想更确切地说，不仅仅是因为它已被弃用).我打算更新受影响的脚本，并对为什么不推荐使用此旧方法感到好奇.

Overall, I'm wondering what are the big weaknesses in the mysql_ methods, and what reasons there are for avoiding it (I guess more specifically than just because it's deprecated). I'm planning to update my affected scripts, and became curious as to why this old method was deprecated.

谢谢！

推荐答案

mysql_query函数的设计使得您必须谨慎地转义要注入的每一个数据，并且即使您错过了整个应用程序，也可以通过自动SQL漏洞利用工具来销毁整个应用程序.

The design of the mysql_query function is such that you've got to be careful to escape each and every bit of data you're injecting into it, and if you miss even one your entire application can be destroyed by an automatic SQL vulnerability exploit tool.

mysqli和PDO都支持占位符，它们都是必需的，以确保查询免受SQL注入错误的影响.在所有内容上调用mysql_real_escape_string不仅繁琐，而且容易出错，这就是问题所在.

Both mysqli and PDO support placeholders which are required to ensure that your queries are safe from SQL injection bugs. Calling mysql_real_escape_string on everything is not only tedious, but error-prone, and that's where the problems arise.

mysql函数是PHP早期的产物，并且比mysqli作为选件或PDO设计提供的面向对象的新功能要受限制得多.

The mysql functions are a product of the very early days of PHP and are significantly more limited than the new object-oriented features offered by both mysqli as an option, or PDO by design.

使用这两个新接口之一有很多很好的理由，但是最重要的是mysql_query函数太危险了，无法在生产代码中使用.有了它，您将永远远离一些非常严重的问题而成为一个错误.

There's a number of very good reasons to use one of these two new interfaces, but the most important is that the mysql_query function is simply too hazardous to use in production code. With it you will always be one mistake away from some very serious problems.

有一个原因是，充满密码和信用卡号的数据库记录不断出现.具有明显的SQL注入点使得完全接管站点几乎变得太容易了.

There's a reason rips of databases full of passwords and credit card numbers keep showing up. Having an obvious SQL injection point makes it almost too easy to completely take over a site.

这篇关于PHP:mysql v mysqli v pdo的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！