PHP: mysql v mysqli v pdo [英] PHP: mysql v mysqli v pdo

问题描述

我一直在阅读一些关于使用 mysqli 与 pdo 在 php 中使用 mysql 的问题.

I've been reading some questions regarding using mysqli versus pdo to use mysql in php.

我见过诸如 mysqli 或 PDO 之类的问题 -优点和缺点是什么? 或 从mysql 到 mysqli 或 pdo?，它们都专门处理 mysqli v pdo.我对这两种方法哪个更好不感兴趣.

I've seen questions such as mysqli or PDO - what are the pros and cons? or Moving from mysql to mysqli or pdo?, which both deal with mysqli v pdo exclusively. I'm not as much interested as to which of these two methods are better.

我想知道为什么应该避免使用 mysql_ 函数.当然，根据 PHP 的文档，它们正在被弃用 http://php.net/manual/en/faq.databases.php#faq.databases.mysql.deprecated，线程 PHP PDO 和 MySQLi 表明 PDO 和 MySQLi 更强大，并且线程 MySQL、MySQLi 和 PDO 有什么区别? 暗示这些较新的方法更安全.

I was wondering why mysql_ functions should be avoided. Of course, they're in the process of being deprecated per PHP's documentation http://php.net/manual/en/faq.databases.php#faq.databases.mysql.deprecated, the thread PHP PDO and MySQLi suggests PDO and MySQLi are more poweful, and the thread What is the difference between MySQL, MySQLi and PDO? implies that these newer methods are more secure.

总的来说，我想知道 mysql_ 方法的主要弱点是什么，以及避免它的原因是什么(我想更具体地说，不仅仅是因为它已被弃用).我正计划更新受影响的脚本，并且很好奇为什么不推荐使用这种旧方法.

Overall, I'm wondering what are the big weaknesses in the mysql_ methods, and what reasons there are for avoiding it (I guess more specifically than just because it's deprecated). I'm planning to update my affected scripts, and became curious as to why this old method was deprecated.

谢谢！

推荐答案

mysql_query 函数的设计使得你必须小心地转义你的每一位数据'重新注入它，如果你错过了一个，你的整个应用程序都可能被自动 SQL 漏洞利用工具破坏.

The design of the mysql_query function is such that you've got to be careful to escape each and every bit of data you're injecting into it, and if you miss even one your entire application can be destroyed by an automatic SQL vulnerability exploit tool.

mysqli 和 PDO 都支持占位符，必须确保您的查询不受 SQL 注入错误的影响.对所有内容调用 mysql_real_escape_string 不仅乏味，而且容易出错，这就是问题出现的地方.

Both mysqli and PDO support placeholders which are required to ensure that your queries are safe from SQL injection bugs. Calling mysql_real_escape_string on everything is not only tedious, but error-prone, and that's where the problems arise.

mysql 函数是 PHP 早期的产物，与 mysqli 作为选项提供的面向对象的新特性相比，它明显受到更多限制，或 PDO 设计.

The mysql functions are a product of the very early days of PHP and are significantly more limited than the new object-oriented features offered by both mysqli as an option, or PDO by design.

使用这两个新接口之一有很多很好的理由，但最重要的是 mysql_query 函数在生产代码中使用太危险了.有了它，您将永远远离一些非常严重的问题.

There's a number of very good reasons to use one of these two new interfaces, but the most important is that the mysql_query function is simply too hazardous to use in production code. With it you will always be one mistake away from some very serious problems.

充满密码和信用卡号的数据库不断出现是有原因的.拥有一个明显的 SQL 注入点使得完全接管一个站点几乎太容易了.

There's a reason rips of databases full of passwords and credit card numbers keep showing up. Having an obvious SQL injection point makes it almost too easy to completely take over a site.

这篇关于PHP: mysql v mysqli v pdo的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！