模拟准备好的语句与实际准备好的语句 [英] emulated prepared statements vs real prepared statements
问题描述
两种准备好的语句之间到底有什么区别?
What's exactly the difference between the two kinds of prepared statements ?
我认为真正的准备好的语句需要服务器端的支持 在解析和编译sql代码的模式/模板后接受参数. 而且,我想,那是保证我们免受sql-injection侵害的原因.
I think real prepared statements require server side support wich accepts paramenters after parsing and compiling the schema/template of sql code, and , I suppose ,that's what guarantees us against sql-injection.
对于模拟的预准备语句,如果没有服务器支持,该怎么办
它保证我们反对吗?
In the case of emulated prepared statements ,with no server support, what does
it guarantee us against it ?
推荐答案
您是正确的,服务器必须支持真正的预备语句.真正的准备工作就是分两步查询数据库.
You are correct, real prepared statements must be supported by the server. A real prepared means querying the database in two steps.
第一步包括发送服务器可以预编译的查询模板.数据库引擎还预先准备执行计划(通常,将使用哪些索引来服务实际查询).
The fist step consists in sending a query template, that the server can pre-compile. The database engine also prepares in advance the execution plan (mostly, what indexes will be used to serve the actual query).
第二步是为占位符提供实际值,并使用这些参数运行实际查询.
The second step is giving actual values to the placeholders and run the actual query with these parameters.
这通常可以更快地执行几个类似的查询,因为1.查询已经预先编译(执行计划已经计算出来),并且2.随后仅发送参数值.
This typically allows faster execution of several similar queries, because 1. the query has already been pre-compiled (the execution plan is already computed) and 2. only the parameters values are sent subsequently.
模拟查询只是一种语法糖,它仅允许更轻松地发送(而不是更快地执行)多个连续的相似查询.每次执行模拟查询时,会将完整的SQL语句发送到服务器.
A emulated query is just a syntactic sugar, that only allows easier sending (not faster execution) of several, successive, similar queries. Full SQL statements are sent to the server everytime an emulated query is executed.
当服务器不支持实际的预处理语句时,仍建议使用模拟的预处理语句,因为驱动程序仍会为您保留转义值,从而降低了SQL注入的可能性.
When the sever does not support real prepared statements, it is still recommended to use emulated prepared statements, because the driver still takes care of escaping values for you, making SQL injection less likely.
这篇关于模拟准备好的语句与实际准备好的语句的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
