为什么 PDO 比 mysql_real_escape_string 更适合转义 MySQL 查询/查询字符串? [英] Why is PDO better for escaping MySQL queries/querystrings than mysql_real_escape_string?

问题描述

有人告诉我，我最好使用 PDO 进行 MySQL 转义，而不是 mysql_real_escape_string.

I've been told that I'd be better using PDO for MySQL escaping, rather than mysql_real_escape_string.

也许我正在度过一个脑残的一天(或者可能是因为我绝对不是一个天生的程序员，而且我在 PHP 方面仍然处于新手阶段)，但是已经查看了 PHP 手册并阅读了 有关 PDO 的条目，我仍然不清楚 PDO 究竟是什么以及为什么它比使用 mysql_real_escape_string 更好.这可能是因为我还没有真正掌握 OOP 的复杂性(我假设它与 OOP 有关)，但除了变量和数组值似乎在它们前面有一个冒号这一事实之外，我仍然不确定它到底是什么以及你如何使用它(以及为什么它比 mysql_real_escape_string 更好.(这也可能与我并没有真正清楚的事实有关)理解什么是类"，所以当我读到PDO 类"时，我真的一点也不聪明).

Maybe I'm having a brain-dead day (or it may be the fact I'm by no stretch of the imagination a natural programmer, and I'm still very much at the newbie stage when it comes to PHP), but having checked out the PHP manual and read the entry on PDO, I'm still no clearer as to what PDO actually is and why it's better than using mysql_real_escape_string. This may be because I've not really got to grips with the complexities of OOP yet (I'm assuming it's something to do with OOP), but other than the fact that variables and array values seem to have a colon infront of them, I'm still not sure what it actually is and how you use it (and why it's better than mysql_real_escape_string. (It also may have something to do with the fact that I don't really have a clear understanding of what 'classes' are, so when I read "PDO class" I'm none the wiser really).

已阅读关于开发人员"的一两篇文章MySQL网站的Zone'位，我仍然不清楚.由于目前我什至无法弄清楚它是什么，我认为现在使用它可能有点超出我的范围，但我仍然有兴趣扩大我的教育范围并找出我可以改进的方法.

Having read an article or two on the 'Developer Zone' bit of the MySQL website, I'm still no clearer. As I can't even figure out what it is at the moment, I think probably using it is a bit beyond me right now, but I'm still interested in broadening my education and finding out how I could improve things.

谁能用简单的英语"向我解释什么是 PDO(或为我指明用简单英语编写的主题方向)，以及您将如何使用它?

Could anyone explain to me in 'plain English' what PDO is (or point me in the direction of something on the subject written in plain English), and how you'd go about using it?

推荐答案

由于当前的答案进入了详细信息，而您的问题更侧重于总体概述，我会尝试一下:

As the current answers go into details while your question is more aimed at a general overview, I'll give it a try:

PDO 类旨在封装与数据库交互所需的所有功能.他们通过定义方法"(函数的 OO 客厅)和属性"(变量的 OO 客厅)来做到这一点.您可以将它们用作完全替代您现在用于与数据库对话的所有标准"函数.

The PDO classes aim to encapsulate all the functionality needed to interact with a database. They do this by defining 'methods' (OO parlor for functions) and 'properties' (OO parlor for variables). You'd use them as a complete replacement for all the 'standard' functions you are using now for talking to a database.

因此，与其调用一系列 'mysql_doSomething()' 函数，将它们的结果存储在您自己的变量中，您可以从 PDO 类中实例化"一个对象('class' = 抽象定义，'object' = 具体，类的可用实例)并调用该对象上的方法来执行相同的操作.

So instead of calling a series of the 'mysql_doSomething()' functions, storing their results in your own variables, you would 'instantiate' an object from the PDO class ('class' = abstract definition, 'object' = concrete, usable instance of a class) and call methods on that object to do the same.

举个例子，如果没有 PDO，你会做这样的事情:

As an example, without PDO, you'd do something like this:

// Get a db connection
$connection = mysql_connect('someHost/someDB', 'userName', 'password');
// Prepare a query
$query = "SELECT * FROM someTable WHERE something = " . mysql_real_escape_string($comparison) . "'";
// Issue a query
$db_result = mysql_query($query);
// Fetch the results
$results = array();
while ($row = mysql_fetch_array($db_result)) {
  $results[] = $row;
}

虽然这与使用 PDO 是等效的:

while this would be the equivalent using PDO:

// Instantiate new PDO object (will create connection on the fly)
$db = new PDO('mysql:dbname=someDB;host=someHost');
// Prepare a query (will escape on the fly)
$statement = $db->prepare('SELECT * FROM someTable WHERE something = :comparison');
// $statement is now a PDOStatement object, with its own methods to use it, e.g.
// execute the query, passing in the parameters to replace
$statement->execute(array(':comparison' => $comparison));
// fetch results as array
$results = $statement->fetchAll();

所以乍一看，除了语法之外，没有太大区别.但是 PDO 版本有一些优点，最大的一个是数据库独立性:

So on first glance, there is not much difference, except in syntax. But the PDO version has some advantages, the biggest one being database independence:

如果您需要与 PostgreSQL 数据库对话，您只需在实例化调用 new PDO()<中将 mysql: 更改为 pgsql:/代码>.使用旧方法，您必须遍历所有代码，将所有 'mysql_doSomething()' 函数替换为其对应的 'pg_doSomthing()' 函数(始终检查参数处理中的潜在差异).许多其他受支持的数据库引擎也是如此.

If you need to talk to a PostgreSQL database instead, you'd only change mysql:to pgsql: in the instantiating call new PDO(). With the old method, you'd have to go through all your code, replacing all 'mysql_doSomething()' functions with their 'pg_doSomthing()' counterpart (always checking for potential differences in parameter handling). The same would be the case for many other supported database engines.

所以回到你的问题，PDO 基本上只是给你一种不同的方式来实现同样的事情，同时提供一些捷径/改进/优势.例如，转义会以您正在使用的数据库引擎所需的正确方式自动发生.此外，参数替换(防止 SQL 注入，示例中未显示)要容易得多，因此更不容易出错.

So to get back to your question, PDO basically just gives you a different way to achieve the same things, while offering some shortcuts/improvements/advantages. For example, escaping would happen automatically in the proper way needed for the database engine you are using. Also parameter substitution (prevents SQL Injections, not shown in example) is much easier, making it less error prone.

您应该阅读一些 OOP 基础知识以了解其他优势.

You should read up on some OOP basics to get an idea of other advantages.

这篇关于为什么 PDO 比 mysql_real_escape_string 更适合转义 MySQL 查询/查询字符串?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！