bindValue()和bindParam()之间的混淆? [英] Confusion between bindValue() and bindParam()?
问题描述
我对这两个功能Bindvalue()和BindParam()
- 我在php.net上阅读,它不会逃脱
%和_,因此在使用LIKE时要小心.因此,我认为在使用LIKE查询时不使用BindValue(). - 当我们使用
LIKE查询时,将使用BindParam().因为据我所知BindParam可以逃避这些%和_. -
BindValue()不能防止sql注入.我不确定这是真的吗?
- I read on php.net it does not escape
%and_, so be careful when usingLIKE. So i thinkBindValue()is not used when we are using LIKE query. - when we using
LIKEqueryBindParam()is used. Because as i know BindParam can escape these%and_. BindValue()doesn't gives protection against sql injection. I am not sure about this, is it true?
朋友告诉我,我在这三点中提到的是对还是错. 我是PDO的初学者,所以请清楚解释一下..
friends tell what i mention in these 3 points is right or wrong. i am beginner in PDO so please explain it clearly ..
推荐答案
对值进行转义或不转义的方式应该没有区别. bindParam与bindValue的不同之处在于,它引用变量,仅在执行语句时才绑定值. bindValue立即获取值.为了说明:
There should be no difference in how values are escaped or not escaped. bindParam differs from bindValue in that it references the variable, binding the value only when you execute the statement. bindValue takes the value immediately. To illustrate:
$stmt = $db->prepare('SELECT * FROM `table` WHERE foo = :foo');
$foo = 'foo';
$stmt->bindValue(':foo', $foo);
$foo = 'bar';
$stmt->execute();
以上执行方式与SELECT * FROM table WHERE foo = 'foo';
$stmt = $db->prepare('SELECT * FROM `table` WHERE foo = :foo');
$foo = 'foo';
$stmt->bindParam(':foo', $foo);
$foo = 'bar';
$stmt->execute()
以上执行方式与SELECT * FROM table WHERE foo = 'bar'类似.
的确,它们都不关心_或%作为特殊字符,因为一般来讲,就语法而言,它们不是特殊字符,并且数据库驱动程序无法分析上下文以进行计算确定在LIKE查询的上下文中您平均 %是通配符还是实际字符%".
It's true that neither cares about _ or % as special characters, because generally speaking they aren't special characters as far as the syntax is concerned, and the database driver is not able to analyze the context to figure out whether you mean % to be a wildcard or the actual character "%" in the context of a LIKE query.
两者都可以防止SQL注入.
Both protect against SQL injection.
这篇关于bindValue()和bindParam()之间的混淆?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
