在PHP的pdo的准备好的语句中何时需要引用? [英] When is quoting necessary in prepared statements of pdo in PHP?
问题描述
来自此答案下的评论,但我真的不明白他的意思:
It's from the comment under this answer,but I really don't figure out what he means:
推荐答案
准备就绪的语句是因为您创建了用于PDO插入值的标记,并且这些值可以命名(例如:accountId,:url),PDO将在其中命名找到命名的标记或位置(特别是问号(?)),PDO将在其中按标记放置的顺序插入值.
Prepared statements are prepared because you create markers for PDO to insert values, and these values can be named (for example, :accountId, :url) where PDO will find the named marker, or positional (specifically, a question mark (?)) where PDO will insert the values in the order the markers were placed.
例如:
$query = "SELECT user_id FROM users WHERE username = ?";
$statement = $pdo->prepare($query);
$statement->execute(array("John Smith"));
请注意,明显缺少命名参数(特别是使用?而不是:username),而是使用了位置样式.尽管选择调试时使用命名参数更容易,但是使用一个或另一个是纯粹的个人选择.
Notice the distinct lack of named parameters (specifically, using a ? instead of :username), and the positional style is used instead. It is purely a personal choice to use one or the other, although I find using named parameters is clearer when debugging.
无论如何.这意味着,如果您使用的是预备语句,则不必引用,也不必担心使用预备语句时的SQL注入.
Anyways. What this means is you do not have to quote if you are using prepared statements, and you do not have to worry about SQL injection when using prepared statements.
现在,真正发生的是PDO要求数据库驱动程序(MySQL,PostgreSQL,MS SQL,Oracle等)准备该语句,但是如果数据库驱动程序无法准备该语句,则PDO将模拟该功能.事情开始变得令人困惑,但是您可以放心地忘记它,而只需记住使用带有参数的准备好的语句即可.
Now, what is really happening is PDO is asking the database driver (MySQL, PostgreSQL, MS SQL, Oracle, etc) to prepare the statement, but if the database driver cannot prepare it, PDO will simulate that feature. This where things start to get confusing, but you can safely forget it and just remember to use prepared statements with parameters.
这篇关于在PHP的pdo的准备好的语句中何时需要引用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
