問題描述
我一直在閱讀一些關于使用 mysqli 與 pdo 在 php 中使用 mysql 的問題.
I've been reading some questions regarding using mysqli versus pdo to use mysql in php.
我見過諸如 mysqli 或 PDO 之類的問題 -優點和缺點是什么? 或 從mysql 到 mysqli 或 pdo?,它們都專門處理 mysqli v pdo.我對這兩種方法哪個更好不感興趣.
I've seen questions such as mysqli or PDO - what are the pros and cons? or Moving from mysql to mysqli or pdo?, which both deal with mysqli v pdo exclusively. I'm not as much interested as to which of these two methods are better.
我想知道為什么應該避免使用 mysql_ 函數.當然,根據 PHP 的文檔,它們正在被棄用 http://php.net/manual/en/faq.databases.php#faq.databases.mysql.deprecated,線程 PHP PDO 和 MySQLi 表明 PDO 和 MySQLi 更強大,并且線程 MySQL、MySQLi 和 PDO 有什么區別? 暗示這些較新的方法更安全.
I was wondering why mysql_ functions should be avoided. Of course, they're in the process of being deprecated per PHP's documentation http://php.net/manual/en/faq.databases.php#faq.databases.mysql.deprecated, the thread PHP PDO and MySQLi suggests PDO and MySQLi are more poweful, and the thread What is the difference between MySQL, MySQLi and PDO? implies that these newer methods are more secure.
總的來說,我想知道 mysql_ 方法的主要弱點是什么,以及避免它的原因是什么(我想更具體地說,不僅僅是因為它已被棄用).我正計劃更新受影響的腳本,并且很好奇為什么不推薦使用這種舊方法.
Overall, I'm wondering what are the big weaknesses in the mysql_ methods, and what reasons there are for avoiding it (I guess more specifically than just because it's deprecated). I'm planning to update my affected scripts, and became curious as to why this old method was deprecated.
謝謝!
推薦答案
mysql_query 函數的設計使得你必須小心地轉義你的每一位數據'重新注入它,如果你錯過了一個,你的整個應用程序都可能被自動 SQL 漏洞利用工具破壞.
The design of the mysql_query function is such that you've got to be careful to escape each and every bit of data you're injecting into it, and if you miss even one your entire application can be destroyed by an automatic SQL vulnerability exploit tool.
mysqli 和 PDO 都支持占位符,必須確保您的查詢不受 SQL 注入錯誤的影響.對所有內容調用 mysql_real_escape_string 不僅乏味,而且容易出錯,這就是問題出現的地方.
Both mysqli and PDO support placeholders which are required to ensure that your queries are safe from SQL injection bugs. Calling mysql_real_escape_string on everything is not only tedious, but error-prone, and that's where the problems arise.
mysql 函數是 PHP 早期的產物,與 mysqli 作為選項提供的面向對象的新特性相比,它明顯受到更多限制,或 PDO 設計.
The mysql functions are a product of the very early days of PHP and are significantly more limited than the new object-oriented features offered by both mysqli as an option, or PDO by design.
使用這兩個新接口之一有很多很好的理由,但最重要的是 mysql_query 函數在生產代碼中使用太危險了.有了它,您將永遠遠離一些非常嚴重的問題.
There's a number of very good reasons to use one of these two new interfaces, but the most important is that the mysql_query function is simply too hazardous to use in production code. With it you will always be one mistake away from some very serious problems.
充滿密碼和信用卡號的數據庫不斷出現是有原因的.擁有一個明顯的 SQL 注入點使得完全接管一個站點幾乎太容易了.
There's a reason rips of databases full of passwords and credit card numbers keep showing up. Having an obvious SQL injection point makes it almost too easy to completely take over a site.
這篇關于PHP: mysql v mysqli v pdo的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!