SQL查询绑定变量与指定变量 [英] Sql queries binding variables vs specifying them

问题描述

我正在mySql中创建一个简单的查询，以将表单中的某些值插入到我的数据库中.

I am creating a simple query in mySql to insert some values from a form into my db.

我的问题很简单，但是要参考绑定变量与在sql语句中指定变量之间的区别.

My question is simple, but in reference to the difference between binding variables vs specifying them into the sql statement.

绑定:

$query = "INSERT INTO test (name, lastName, price) VALUES (:name, :lastName, :price)";
$apply = $con -> prepare($query);
$apply -> execute (array(':name'=>$name,':lastName'=>$lastName,':price=>$price'));

典型值:

$query = "INSERT INTO test (name, lastName, price) VALUES ($name, $lastName, $price)";
Execute the query....

即使对于上述简单情况，也确实建议使用Binding选项吗?为什么会这样?

Is the Binding option really recommended even for simple cases as the one above? Why is that?

谢谢！

推荐答案

这是必要的，因为您具有用户定义的值，并且用户可以轻松操纵它们，以破坏查询结构并执行不需要的命令.

It's necessary since you have user defined values, and they can be easily manipulated by the user, to break your query structure and execute unwanted commands.

如果仅由服务器操作数据，则没有必要.但是，由于它使用来自超级全局变量的数据，用户可以操纵这些数据(cookie，会话，发布，获取，请求...)，所以这是必须的.

It wouldn't be necessary if the data is only manipulated by the server. But since it uses data from the superglobals, which user can manipulate (cookie, session, post, get, request...), it's a must.

这篇关于SQL查询绑定变量与指定变量的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！