为什么PDO比mysql_real_escape_string更好地转义MySQL查询/查询字符串? [英] Why is PDO better for escaping MySQL queries/querystrings than mysql_real_escape_string?
问题描述
我被告知我最好使用 PDO 进行MySQL转义,而不是使用 mysql_real_escape_string 。
也许我遇到了一个大脑死亡的一天(或者可能是我没有想象力的一个自然程序员,而我还是非常在新手阶段,当谈到PHP),但已经检查了PHP手册,并阅读 PDO上的条目,我仍然不清楚PDO实际上是什么,为什么它比使用 mysql_real_escape_string 更好。这可能是因为我没有真正掌握OOP的复杂性(我假设它与OOP有关),但除了变量和数组值似乎具有冒号之外,我仍然不确定它实际是什么,以及如何使用它(为什么它比 mysql_real_escape_string 更好(这也可能与我的事实有关真的清楚了解什么是课程,所以当我读PDO课程时,我真的没有什么比较聪明的)。
阅读一篇文章或两个在MySQL网站的开发者专区位我还不清楚,因为我目前还无法弄清楚现在是什么,所以我觉得大概使用它现在已经超出了我的范围,但我仍然对扩大我的教育感兴趣,找出如何我可以改善事情。
任何人都可以解释在简单的英语中,PDO是什么(或者指出我用简单的英语写的主题的方向),以及如何使用它?
由于当前的答案详细介绍,而您的问题更为全面的概述,我将尝试一下:
PDO类旨在封装与数据库交互所需的所有功能。他们通过定义方法(函数的OO客厅)和属性(变量的OO客厅)来做到这一点。您将使用它们作为您现在正在使用的数据库进行通话的所有标准功能的完全替换。
所以调用一系列mysql_doSomething()函数,将其结果存储在您自己的变量中,您可以从PDO类中实例化一个对象('class'=抽象定义'object'=具体的可用实例类),并调用该对象的方法来执行相同的操作。
举个例子,没有PDO,你可以这样做:
//获取数据库连接
$ connection = mysql_connect('someHost / someDB','userName','password');
//准备一个查询
$ query =SELECT * FROM someTable WHERE something =。 mysql_real_escape_string($ comparison)。 ;
//发出查询
$ db_result = mysql_query($ query);
//获取结果
$ results = array();
while($ row = mysql_fetch_array($ db_result)){
$ results [] = $ row;
}
而这将是使用PDO的等价物:
$ b $$ db = new PDO('mysql:dbname = someDB; host = ,某');
//准备一个查询(将自动逃脱)
$ statement = $ db-> prepare('SELECT * FROM someTable WHERE something =:comparison');
// $ statement现在是一个PDOStatement对象,它有自己的方法来使用它。
//执行查询,传入参数以替换
$ statement-> execute(array(':comparison'=> $ comparison));
//将结果作为数组
$ results = $ statement-> fetchAll();
乍一看,除了语法之外没有什么区别。但PDO版本有一些优势,最大的一个是数据库独立性:
如果您需要与PostgreSQL数据库通信,您只需更改 mysql:到 pgsql:在实例化调用中新的PDO()。使用旧的方法,您必须遍历所有的代码,将所有'mysql_doSomething()'函数替换为'pg_doSomthing()'对应的(总是检查参数处理中的潜在差异)。对于许多其他支持的数据库引擎也是如此。
所以要回到你的问题,PDO基本上只是给你一种不同的方式来实现同样的事情,同时提供一些捷径/改进/优点。例如,转义将以您正在使用的数据库引擎所需的正确方式自动发生。另外参数替换(防止SQL注入,在示例中未显示)容易得多,使其更容易出错。
您应该阅读一些OOP基础知识,以了解其他优势。
I've been told that I'd be better using PDO for MySQL escaping, rather than mysql_real_escape_string.
Maybe I'm having a brain-dead day (or it may be the fact I'm by no stretch of the imagination a natural programmer, and I'm still very much at the newbie stage when it comes to PHP), but having checked out the PHP manual and read the entry on PDO, I'm still no clearer as to what PDO actually is and why it's better than using mysql_real_escape_string. This may be because I've not really got to grips with the complexities of OOP yet (I'm assuming it's something to do with OOP), but other than the fact that variables and array values seem to have a colon infront of them, I'm still not sure what it actually is and how you use it (and why it's better than mysql_real_escape_string. (It also may have something to do with the fact that I don't really have a clear understanding of what 'classes' are, so when I read "PDO class" I'm none the wiser really).
Having read an article or two on the 'Developer Zone' bit of the MySQL website, I'm still no clearer. As I can't even figure out what it is at the moment, I think probably using it is a bit beyond me right now, but I'm still interested in broadening my education and finding out how I could improve things.
Could anyone explain to me in 'plain English' what PDO is (or point me in the direction of something on the subject written in plain English), and how you'd go about using it?
As the current answers go into details while your question is more aimed at a general overview, I'll give it a try:
The PDO classes aim to encapsulate all the functionality needed to interact with a database. They do this by defining 'methods' (OO parlor for functions) and 'properties' (OO parlor for variables). You'd use them as a complete replacement for all the 'standard' functions you are using now for talking to a database.
So instead of calling a series of the 'mysql_doSomething()' functions, storing their results in your own variables, you would 'instantiate' an object from the PDO class ('class' = abstract definition, 'object' = concrete, usable instance of a class) and call methods on that object to do the same.
As an example, without PDO, you'd do something like this:
// Get a db connection
$connection = mysql_connect('someHost/someDB', 'userName', 'password');
// Prepare a query
$query = "SELECT * FROM someTable WHERE something = " . mysql_real_escape_string($comparison) . "'";
// Issue a query
$db_result = mysql_query($query);
// Fetch the results
$results = array();
while ($row = mysql_fetch_array($db_result)) {
$results[] = $row;
}
while this would be the equivalent using PDO:
// Instantiate new PDO object (will create connection on the fly)
$db = new PDO('mysql:dbname=someDB;host=someHost');
// Prepare a query (will escape on the fly)
$statement = $db->prepare('SELECT * FROM someTable WHERE something = :comparison');
// $statement is now a PDOStatement object, with its own methods to use it, e.g.
// execute the query, passing in the parameters to replace
$statement->execute(array(':comparison' => $comparison));
// fetch results as array
$results = $statement->fetchAll();
So on first glance, there is not much difference, except in syntax. But the PDO version has some advantages, the biggest one being database independence:
If you need to talk to a PostgreSQL database instead, you'd only change mysql:to pgsql: in the instantiating call new PDO(). With the old method, you'd have to go through all your code, replacing all 'mysql_doSomething()' functions with their 'pg_doSomthing()' counterpart (always checking for potential differences in parameter handling). The same would be the case for many other supported database engines.
So to get back to your question, PDO basically just gives you a different way to achieve the same things, while offering some shortcuts/improvements/advantages. For example, escaping would happen automatically in the proper way needed for the database engine you are using. Also parameter substitution (prevents SQL Injections, not shown in example) is much easier, making it less error prone.
You should read up on some OOP basics to get an idea of other advantages.
这篇关于为什么PDO比mysql_real_escape_string更好地转义MySQL查询/查询字符串?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
