如何正确处理PDO连接错误? [英] How to handle PDO connection errors properly?
问题描述
出于安全原因,我尝试使用PHP / MySQL处理或捕获可能的错误,并想知道我是否做对了。
第一种情况:我将其用作函数,并在需要数据库连接时始终调用它。
第二种情况:我不确定如何处理。我将所有准备好的语句放在 if
条件下,但这很尴尬。
那么 $ stmt->执行
又如何呢?这也可能会失败,并且如果情况真的变得令人困惑,也要进行处理。
我希望有更好的方法。
I try to handle or catch possible errors with PHP/MySQL for security reasons and would like to know if I'm doing it right.
The first case: I use it as a function and call it always when I need a database connection.
The second case: I am not sure how to handle it. I put all prepared statements in if
conditions but that's pretty awkward.
And what about $stmt->execute
? This could also fail and to handle this also in an if condition can really get confusing.
I hope there is a better way to go.
首先:
function pdo () {
try {
$pdo = new PDO('mysql:host=localhost;dbname=dbname', 'user', 'pw');
}
catch(PDOException $e) {
header("Location: handle_error.php");
exit;
}
return ($pdo);
}
第二个:
if ($stmt = $pdo->prepare("SELECT a FROM b WHERE c = :c")) {
$stmt->execute(array(':c' => $c));
$result = $stmt->fetch();
echo 'All fine.';
}
else {
echo 'Now we have a problem.';
}
推荐答案
您当前的代码有一些缺陷。让我给你一些指导。
Your current code has some flaws. Let me give you few pointers.
-
您不需要创建的函数,至少不需要当前形式的函数。每次调用此函数时,它都会创建一个新的PDO对象,这可能会影响脚本的性能。理想情况下,整个脚本的执行过程中只需要一个连接。
You do not need the function you have created, at least not in the current form. Every time you call this function it creates a new PDO object, which can hinder your script's performance. Ideally you would want to have only one connection throughout the execution of your whole script.
在创建新的PDO连接时,您需要记住3件事:设置正确的连接字符集,启用错误报告以及禁用模拟准备。
When creating new PDO connection you need to remember 3 things: to set proper connection charset, enable error reporting, and disable emulated prepares.
- 正确的字符集很重要。没有它,您的数据可能会损坏,甚至容易受到SQL注入的攻击。推荐的字符集是
utf8mb4
。 - 启用错误报告功能可以避免手动检查每个函数调用是否失败的麻烦。您只需要告诉PHP在发生错误时触发异常,并找到在服务器上记录错误的合适方法即可(更多信息:我的PDO语句不起作用)
- 默认情况下启用了模拟准备,但事实是,没有它们,您会更好。如果您的数据库支持本机准备的语句(大多数情况下都支持),请改用它们。
完整代码应如下所示:
$options = [
\PDO::ATTR_ERRMODE => \PDO::ERRMODE_EXCEPTION,
\PDO::ATTR_EMULATE_PREPARES => false,
];
$pdo = new \PDO('mysql:host=localhost;dbname=dbname;charset=utf8mb4', 'user', 'pw', $options);
不要捕获异常,除非您知道该如何处理并且肯定您需要这样做。最好是例外。让PHP与其他异常/错误/警告一起处理它们。毕竟为什么只为PHP异常创建一个异常?所有PHP错误都应以相同方式处理。无论您什么都不打印(包括 die
, exit
, echo
, var_dump
)在屏幕上手动显示错误消息。如果此类代码曾经投入生产,那么这将是一个巨大的安全问题。
Don't catch the exceptions unless you know what to do with them and are positively sure you need to do so. Exceptions are best left be; let PHP handle them together with the other exceptions/errors/warnings. After all why make an exception just for PHP exceptions? All PHP errors should be handled the same. Whatever you do never print (including die
, exit
, echo
, var_dump
) the error message manually on the screen. This is a huge security issue if such code ever makes its way into production.
如果将PDO连接设置为对错误抛出异常,则无需使用 if
语句来检查 prepare()
或 execute()
的返回码。
If your PDO connection is set to throw exceptions on errors, you never need to use if
statements to check return code of prepare()
or execute()
.
这篇关于如何正确处理PDO连接错误?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!