問題描述

當(dāng)您將參數(shù)綁定到 SQL 語句時(shí)，您可以提供類似 PDO::PARAM_STR 的參數(shù)類型.如果不這樣做，請(qǐng)鍵入默認(rèn)為 PDO::PARAM_STR.具體設(shè)置每個(gè)參數(shù)的類型可能是什么原因?PDO::PARAM_STR 可以使用任何參數(shù)，至少在 MySQL 中我知道.我認(rèn)為即使使用 PDO::PARAM_STR 也可以使用 BLOB 列.

When you bind parameters to SQL statement, you can provide parameter type like PDO::PARAM_STR. If you don't, type defaults to PDO::PARAM_STR. What can be the reasons to specifically set the type of each parameter? PDO::PARAM_STR works with any parameter as I know at least in MySQL. I think even with PDO::PARAM_STR can be used even with BLOB columns.

PDO::PARAM_STR 不會(huì)引入任何 SQL 注入，因?yàn)槟匀挥袦?zhǔn)備好的查詢.

PDO::PARAM_STR does not introduce any SQL injection because you still have prepared queries.

推薦答案

Using PARAM_STR 碰巧總是在列值中工作，因?yàn)?mySQL 隱式地將值轉(zhuǎn)換為正確的類型，但它會(huì)失敗，例如在這個(gè)查詢中:

Using PARAM_STR happens to always work in column values because mySQL implicitly converts values to the correct type where it can, but it will fail for example in this query:

$limit = 1;

$dbh->prepare("SELECT * FROM items LIMIT :limit");
$dbh->bindParam(":limit", $limit, PDO::PARAM_STR); 
     // Will throw "You have an error in your SQL syntax..."

絕對(duì)應(yīng)該在適當(dāng)?shù)那闆r下使用 PARAM_INT - 對(duì)于上述情況，并為除 mySQL 之外的數(shù)據(jù)庫引擎做準(zhǔn)備，這些引擎可能對(duì)他們的期望更嚴(yán)格.

one should absolutely use PARAM_INT where appropriate - for cases like the one above, and to prepare for database engines other than mySQL that may be more strict in what they expect.

這篇關(guān)于在 PDO 中強(qiáng)類型參數(shù)的原因?的文章就介紹到這了，希望我們推薦的答案對(duì)大家有所幫助，也希望大家多多支持html5模板網(wǎng)！