准备好的语句的内部是什么样的? [英] What's the internals of a prepared statement like?

问题描述

这是bind_params似乎在准备 sql语句的方式:

Here's how bind_params seem to be preparing sql statements:

stmt = db.prepare( "select * from table where a=? and b=?" )
stmt.bind_params( 15, "hello" )

因此，实际上，在stmt内部，我们需要有map/array或一些将最终映射参数并创建正确的stmt的东西.内部执行此操作的最佳方法是什么?加号字符串需要额外的预防措施，我想-上面的内容必须映射为从表中选择* *，其中a = 15并且b = \"hello \".

So in reality inside the stmt, we need to have map/array or something that will eventually map the arguments and create the right stmt. What's the most optimal way of doing this internally? Plus strings need extra precaution I imagine - the above will have to be mapped like "select * from table where a = 15 and b = \"hello\" ".

我研究了SQLite3和OCI，它们似乎正在将它们传递给内部C代码.

I looked into SQLite3 and OCI and they seem to be passing these to internal C code.

推荐答案

我正在尝试在客户端准备查询并将其发送到服务器

I am trying to prepare the queries at the client side and send it to the server

如果您要尝试做听起来像是在尝试做的事...请不要尝试做.

If you're trying to do what it sounds like you're trying to do... don't try to do that.

那不是准备好的语句(或者至少不是应该的).

That's not what a prepared statement is (or at least that isn't what it should be).

您的客户代码不应试图将值插值到查询字符串中以生成完成的"代码.查询以发送到服务器以执行.那是灾难的秘诀，更不用说错误的安全感了.

Your client code should not be trying to interpolate values into the query string in order to generate a "finished" query to send to the server for execution. That is a recipe for disaster, not to mention a false sense of security.

准备好的语句按原样将带有?占位符的语句传递给服务器，在此服务器准备"服务器.执行语句...然后客户端将参数发送到服务器(绑定"参数)以执行.这样做，服务器将永远不会对哪一部分是SQL"感到困惑.和哪一部分是数据"，使得不可能进行sql注入，并且不需要转义和清理数据.

Prepared statements deliver the statement with ? placeholders to the server as-is, where the server "prepares" the statement for execution... and then the client send the parameters to the server ("binding" the parameters) for execution. Doing this, the server will never be confused as to "which part is the SQL" and "which part is the data," making sql injection impossible and making escaping and sanitizing the data unnecessary.

mysql_stmt_bind_param()用于绑定传递给mysql_stmt_prepare()的SQL语句中参数标记的输入数据.它使用MYSQL_BIND结构来提供数据. bind是MYSQL_BIND结构数组的地址.客户端库希望该数组针对查询中存在的每个?参数标记包含一个元素.

mysql_stmt_bind_param() is used to bind input data for the parameter markers in the SQL statement that was passed to mysql_stmt_prepare(). It uses MYSQL_BIND structures to supply the data. bind is the address of an array of MYSQL_BIND structures. The client library expects the array to contain one element for each ? parameter marker that is present in the query.

^{- http://dev.mysql.com/doc/refman/5.6/en/mysql-stmt-bind-param.html}

如果您不直接与C-API通信，则应该调用库中向您公开这些相同功能的方法.

If you are not communicating directly with the C-API then you should be calling the methods in your library that expose those same functions to you.

这篇关于准备好的语句的内部是什么样的?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！