Php准备好的语句关闭仿真 [英] Php Prepared Statements Turn Emulation Off

问题描述

将准备好的语句与pdo一起使用时，关闭仿真是否有副作用?我正在使用select *并限制需要作为int而不是字符串处理的结果.我可以做两件事之一.

Are there any side effects to turning off emulation when using prepared statements with pdo? I'm using a select * and limiting the results which needs to be handled as an int and not a string. I can do one of two things.

$conn->setAttribute( PDO::ATTR_EMULATE_PREPARES, false );

或将这些变量与参数类型明确绑定:

Or to bind these variables explicitly with param type:

$stm = $pdo->prepare('SELECT * FROM table LIMIT ?, ?');
$stm->bindParam(1, $limit_from,PDO::PARAM_INT);
$stm->bindParam(2, $per_page,PDO::PARAM_INT);
$stm->execute();
$data = $stm->fetchAll();

任何利弊?显然，关闭仿真可以节省很多绑定.

Any pros or cons? Obviously turning emulation off would save a lot of binding.

推荐答案

准备的语句是底层数据库驱动程序的功能.数据库首先接受查询结构，然后分别接收变量参数.同样，这是数据库本身实际支持的功能.

Prepared statements are a feature of the low level database driver. The database accepts the query structure first and receives the variable parameters separately. Again, this is a feature actually supported by the database itself.

模拟准备"意味着您在PHP端使用相同的API，分别使用prepare()和bind/execute调用，但是PDO驱动程序只是在内部转义和连接字符串，发送一个很好的旧的长SQL字符串到数据库.数据库无法使用其本机参数化查询功能.

"Emulated prepares" means that you use the same API on the PHP-side, with separate prepare() and bind/execute calls, but that the PDO driver is just internally escaping and concatenating the strings, sending a good old long SQL string to the database. The database doesn't get to use its native parameterized query feature.

通过仿真进行准备将强制PDO使用数据库的本机参数化查询功能.如果您的数据库(-驱动程序)不支持本机参数化查询，则仅应打开/离开模拟的准备.仿真的准备工作仅用于支持旧数据库(-驱动程序)，它不会改变您在PHP代码中绑定参数的方式.

Turning emulated prepares off forces PDO to use the database's native parameterized query feature. You should only turn/leave emulated prepares on if your database (-driver) doesn't support native parameterized queries. Emulated prepares are only there to support old database (-drivers), it does not change how you bind parameters in your PHP code.

模拟的准备工作 在某些情况下可能会暴露安全漏洞，就像所有客户端转义和连接可能一样.如果查询和数据一直到数据库始终保持分离，则这些缺陷是不可能的.

Emulated prepares may expose security flaws under certain circumstances, just as all client-side escaping and concatenation may. If the query and data remain separated all the way to the database, those flaws aren't possible.

这篇关于Php准备好的语句关闭仿真的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！