真正的转义字符串vs绑定参数 [英] Real escape string vs bind param

问题描述

在php中，使用mysqli有什么区别，哪个更好，为什么?

In php, what is the difference and which is better and why, using mysqli.

我有一个用真实的转义字符串编写的整个项目，是否有必要转换为面向对象的准备好的语句?

I have a whole project written with real escape string, is it necessary to convert to object oriented prepared statements?

推荐答案

从程序员的角度来看，手动转义值与PDO实现的参数化/准备好的语句之间的区别在于分离程度，自动化程度和责任转移.

From the programmers point of view, the difference between escaping the values manually and parameterized/prepared statements as implemented by PDO is the degree of separation, automation, and a shift of responsibility.

对于*_escape_string，开发人员必须确保所有值:

With *_escape_string the developer has to ensure that all values:

• 通过相应的*_escape_string函数传递，并且
• 放在SQL字符串文字中，因为*_escape_string函数仅用于转义字符串文字值.

• are passed through the corresponding *_escape_string function and
• are placed within SQL string literals, as the *_escape_string functions are intended to be used for escaping string literal values only.

如果开发人员有纪律来跟踪每个参数的处理过程，那么这可以很好地工作.但是它趋于变得更加复杂，因此语句变得越复杂，就越容易出错.

This can work perfectly if the developer has the discipline to keep track of each parameter’s processing. But it tends to become more complicated and thus error prone the more complex a statement gets.

如果只有一个参数缺少适当的处理或处理，则该语句很容易受到SQL注入的威胁.老实说，实际上在Stack Overflow上有很多情况表明，这种手动技术更容易出错，因为很容易错过上述要点之一.

And if there’s just one parameter missing proper processing or handling, the statement is at stake being vulnerable to SQL injection. And to be honest, there are actually many cases here on Stack Overflow which show that this manual technique is more error prone as it’s easy to miss one of the aforementioned points.

与此相反，PDO通过在语句中仅保留占位符来提供抽象层.参数值是分别传递的，PDO负责适当的处理和处理.开发人员要做的就是用占位符准备语句，然后使用实际值执行准备好的语句.

In opposite to that, PDO provides a layer of abstraction by having just placeholders in the statement. The parameter values are passed separately and PDO takes care of proper processing and handling. All the developer has to do is prepare the statement with the placeholders and then execute the prepared statement with the actual values.

现在哪个更好?显然，后者是PDO变体，因为它不易出错，而且更干净.开发人员无需考虑和处理的事情就更少了，因为它现在是由PDO完成的.

Now which one is better? Obviously the latter PDO variant as it is less error prone and way more cleaner. There are less things for the developer to consider and take care of because it’s now done by PDO.

这篇关于真正的转义字符串vs绑定参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！