問題描述

準備好的語句添加了大量代碼……但我一直聽到有人提到要使用它們……從 1 行代碼增加到大約 6 行代碼會增加什么價值?這僅僅是為了防止sql注入嗎?

Prepared statments add a significant amount of code...yet I keep hearing mentions to use them...what value is added by going from 1 line of code to about 6? Is this simply to protect against sql injection?

類似帖子此處.

php.net 關于準備好的語句這里

php.net on prepared statements here

推薦答案

準備好的語句提供了針對 SQL 注入的出色保護.

Prepared statements offer excellent protection against SQL injection.

除了 SQL 注入保護之外，當同一個查詢要多次執行時(例如在 INSERT 循環中)，準備好的語句可以減少數據庫服務器上的負載.該語句僅由 RDBMS 編譯一次，而無需像在 mysql_query() 調用中那樣每次都編譯.

In addition to SQL injection protection, prepared statements offer reduced load on the database server when the same query is to executed multiple times, such as in an INSERT loop. The statement is only compiled once by the RDBMS rather than needing to be compiled each time as it would in a mysql_query() call.

不同的 API 需要不同數量的代碼來執行準備好的語句.我發現 PDO 可能比 MySQLi 少一點冗長，例如，如果您的情況允許在 execute() 調用中使用隱式參數綁定.這只適用，如果您的所有參數都可以作為字符串進行評估.

Different APIs require varying amounts of code to execute a prepared statement. I find that PDO can be a little less verbose than MySQLi, if for example your situation permits the use of implicit parameter binding inside the execute() call. This only works, if all your params can be evaluated as strings though.

// PDO implicit binding example:
// Not many lines of code if the situation allows for it
$stmt = $pdo->prepare("SELECT * FROM tbl WHERE col1=? AND col2=? AND col3=?");
$stmt->execute(array($val1, $val2, $val3));

這篇關于準備好的陳述 - 它們是否必要的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！