什么是参数化查询? [英] What is parameterized query?

问题描述

什么是参数化查询?在PHP和MySQL中这种查询的示例是什么?

What is a parameterized query, and what would an example of such a query be in PHP and MySQL?

推荐答案

参数化查询(也称为 prepared语句)是一种预编译SQL语句的方式，因此您只需要要提供的是要在语句中插入的参数"(认为变量")才能执行.它通常用作防止 SQL注入攻击的一种方法.

A parameterized query (also known as a prepared statement) is a means of pre-compiling a SQL statement so that all you need to supply are the "parameters" (think "variables") that need to be inserted into the statement for it to be executed. It's commonly used as a means of preventing SQL injection attacks.

您可以在PHP的 PDO页面(PDO作为数据库抽象层)，但是如果您正在使用mysqli数据库接口，也可以使用它们(请参见

You can read more about these on PHP's PDO page (PDO being a database abstraction layer), although you can also make use of them if you're using the mysqli database interface (see the prepare documentation).

这篇关于什么是参数化查询?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！