如何正确处理PDO连接错误? [英] How to handle PDO connection errors properly?
问题描述
出于安全原因,我尝试使用PHP / MySQL处理或捕获可能的错误,并想知道我是否做对了。
第一种情况:我将其用作函数,并在需要数据库连接时始终调用它。
第二种情况:我不确定如何处理。我将所有准备好的语句放在 if 条件下,但这很尴尬。
那么 $ stmt->执行又如何呢?这也可能会失败,并且如果情况真的变得令人困惑,也要进行处理。
我希望有更好的方法。
I try to handle or catch possible errors with PHP/MySQL for security reasons and would like to know if I'm doing it right.
The first case: I use it as a function and call it always when I need a database connection.
The second case: I am not sure how to handle it. I put all prepared statements in if conditions but that's pretty awkward.
And what about $stmt->execute? This could also fail and to handle this also in an if condition can really get confusing.
I hope there is a better way to go.
首先:
function pdo () {
try {
$pdo = new PDO('mysql:host=localhost;dbname=dbname', 'user', 'pw');
}
catch(PDOException $e) {
header("Location: handle_error.php");
exit;
}
return ($pdo);
}
第二个:
if ($stmt = $pdo->prepare("SELECT a FROM b WHERE c = :c")) {
$stmt->execute(array(':c' => $c));
$result = $stmt->fetch();
echo 'All fine.';
}
else {
echo 'Now we have a problem.';
}
推荐答案
您当前的代码有一些缺陷。让我给你一些指导。
Your current code has some flaws. Let me give you few pointers.
-
您不需要创建的函数,至少不需要当前形式的函数。每次调用此函数时,它都会创建一个新的PDO对象,这可能会影响脚本的性能。理想情况下,整个脚本的执行过程中只需要一个连接。
You do not need the function you have created, at least not in the current form. Every time you call this function it creates a new PDO object, which can hinder your script's performance. Ideally you would want to have only one connection throughout the execution of your whole script.
在创建新的PDO连接时,您需要记住3件事:设置正确的连接字符集,启用错误报告以及禁用模拟准备。
When creating new PDO connection you need to remember 3 things: to set proper connection charset, enable error reporting, and disable emulated prepares.
- 正确的字符集很重要。没有它,您的数据可能会损坏,甚至容易受到SQL注入的攻击。推荐的字符集是
utf8mb4。 - 启用错误报告功能可以避免手动检查每个函数调用是否失败的麻烦。您只需要告诉PHP在发生错误时触发异常,并找到在服务器上记录错误的合适方法即可(更多信息:我的PDO语句不起作用)
- 默认情况下启用了模拟准备,但事实是,没有它们,您会更好。如果您的数据库支持本机准备的语句(大多数情况下都支持),请改用它们。
完整代码应如下所示:
$options = [
\PDO::ATTR_ERRMODE => \PDO::ERRMODE_EXCEPTION,
\PDO::ATTR_EMULATE_PREPARES => false,
];
$pdo = new \PDO('mysql:host=localhost;dbname=dbname;charset=utf8mb4', 'user', 'pw', $options);
不要捕获异常,除非您知道该如何处理并且肯定您需要这样做。最好是例外。让PHP与其他异常/错误/警告一起处理它们。毕竟为什么只为PHP异常创建一个异常?所有PHP错误都应以相同方式处理。无论您什么都不打印(包括 die , exit , echo , var_dump )在屏幕上手动显示错误消息。如果此类代码曾经投入生产,那么这将是一个巨大的安全问题。
Don't catch the exceptions unless you know what to do with them and are positively sure you need to do so. Exceptions are best left be; let PHP handle them together with the other exceptions/errors/warnings. After all why make an exception just for PHP exceptions? All PHP errors should be handled the same. Whatever you do never print (including die, exit, echo, var_dump) the error message manually on the screen. This is a huge security issue if such code ever makes its way into production.
如果将PDO连接设置为对错误抛出异常,则无需使用 if 语句来检查 prepare()或 execute()的返回码。
If your PDO connection is set to throw exceptions on errors, you never need to use if statements to check return code of prepare() or execute().
这篇关于如何正确处理PDO连接错误?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
