准备好的陈述 - 它们是否必要 [英] prepared statements - are they necessary

问题描述

准备好的语句添加了大量代码……但我一直听到有人提到要使用它们……从 1 行代码增加到大约 6 行代码会增加什么价值?这仅仅是为了防止sql注入吗?

Prepared statments add a significant amount of code...yet I keep hearing mentions to use them...what value is added by going from 1 line of code to about 6? Is this simply to protect against sql injection?

类似帖子此处.

php.net 关于准备好的语句这里

php.net on prepared statements here

推荐答案

准备好的语句提供了针对 SQL 注入的出色保护.

Prepared statements offer excellent protection against SQL injection.

除了 SQL 注入保护之外，当同一个查询要多次执行时(例如在 INSERT 循环中)，准备好的语句可以减少数据库服务器上的负载.该语句仅由 RDBMS 编译一次，而无需像在 mysql_query() 调用中那样每次都编译.

In addition to SQL injection protection, prepared statements offer reduced load on the database server when the same query is to executed multiple times, such as in an INSERT loop. The statement is only compiled once by the RDBMS rather than needing to be compiled each time as it would in a mysql_query() call.

不同的 API 需要不同数量的代码来执行准备好的语句.我发现 PDO 可能比 MySQLi 少一点冗长，例如，如果您的情况允许在 execute() 调用中使用隐式参数绑定.这只适用，如果您的所有参数都可以作为字符串进行评估.

Different APIs require varying amounts of code to execute a prepared statement. I find that PDO can be a little less verbose than MySQLi, if for example your situation permits the use of implicit parameter binding inside the execute() call. This only works, if all your params can be evaluated as strings though.

// PDO implicit binding example:
// Not many lines of code if the situation allows for it
$stmt = $pdo->prepare("SELECT * FROM tbl WHERE col1=? AND col2=? AND col3=?");
$stmt->execute(array($val1, $val2, $val3));

这篇关于准备好的陈述 - 它们是否必要的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！