PDO - 真实的事实和最佳实践? [英] PDO - real facts and best practice?

查看:299
本文介绍了PDO - 真实的事实和最佳实践?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

从现在起,我一直使用旧的 mysql 而不是 PDO ,我已经看到很多建议切换到 PDO ,但也有许多不同的事实(也在SO上),例如:

Since now I've been using the older mysql instead of PDO and I've seen many recommendations why to switch to PDO, however also many different facts (also here on SO), e.g.:


  • 说明 PDO 略快/略微慢一些

  • PDO 有助于防止SQL注入,但只有在您使用准备的查询

  • ,并且还说使用预备的查询是不好的,因为它很慢

  • stating PDO is slightly faster/a little bit slower
  • saying PDO helps prevent SQL-injections, but only if you use prepared queries
  • and also saying using prepared queries is bad, as it is damn slow

那么,实际上是什么呢?特别是,当使用 PDO 时,最佳实践是什么,速度和安全性都很重要 - 如何在仍然具有快速查询的同时最好地保护自己免受SQL注入的影响?

So, what is actually true? Especially, what are the best practices when using PDO and both speed and security matter a lot - how to best protect yourself from SQL injections while still having fast queries?

推荐答案

数据库支持



PDO对MySQL的核心优势在于其数据库驱动程序支持。 PDO支持许多不同的驱动程序,如CUBRID,MS SQL Server,Firebird / Interbase,IBM,MySQL等。

Database Support

The core advantage of PDO over MySQL is in its database driver support. PDO supports many different drivers like CUBRID, MS SQL Server, Firebird/Interbase, IBM, MySQL, and so on.

两个库都提供SQL注入安全性,只要开发人员按照他们的意图使用它们。建议使用准备的语句与绑定的查询。

Both libraries provide SQL injection security, as long as the developer uses them the way they were intended. It is recommended that prepared statements are used with bound queries.

// PDO, prepared statement
$pdo->prepare('SELECT * FROM users WHERE username = :username');
$pdo->execute(array(':username' => $_GET['username']));

// mysqli, prepared statements
$query = $mysqli->prepare('SELECT * FROM users WHERE username = ?');
$query->bind_param('s', $_GET['username']);
$query->execute();



速度



是非常快的,MySQL在基准测试中的执行速度并不显着,约为未准备语句的2.5%,准备语句的约为6.5%。

Speed

While both PDO and MySQL are quite fast, MySQL performs insignificantly faster in benchmarks – ~2.5% for non-prepared statements, and ~6.5% for prepared ones.

就像@DaveRandom指出的,这是PDO的另一个特性,它比可怕的数字绑定容易得多。

Just like @DaveRandom pointed out, this is another feature that PDO has, and it is considerably easier than than the horrible numeric binding.

$params = array(':username' => 'test', ':email' => $mail, ':last_login' => time() - 3600);

$pdo->prepare('
SELECT * FROM users
WHERE username = :username
AND email = :email
AND last_login > :last_login');

$pdo->execute($params);

进一步参考的链接很少

MySQL vs PDO(Stackoverflow)

为什么应该使用PDO进行数据库访问(net.tutsplus.com)

Few links for further reference
MySQL vs PDO (Stackoverflow)
Why you should be using PDO for database access (net.tutsplus.com)

这篇关于PDO - 真实的事实和最佳实践?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆