問題描述

我一直在發(fā)現(xiàn)句子PHP PDO's Prepared statements prevent SQL injection.

• php PDO(PDO 的預準備語句)如何防止 sql 注入?
• 使用 PDO(PDO 的準備好的語句)的其他優(yōu)點/缺點是什么?
• 使用 PDO(PDO 的預準備語句)會降低效率嗎?

我讀過這個:PDO 準備好的語句是否足以防止 SQL 注入?但那里的數(shù)據(jù)并不完全清楚.

I have read this: Are PDO prepared statements sufficient to prevent SQL injection? But the data there is not completely clear.

推薦答案

乍一看，您的問題看起來更復雜，只需一個鏈接即可回答

Well, at second glance your question looks more complex to be answered with just one link

php pdo的prepared statement是如何防止sql注入的?

How does php pdo's prepared statements prevent sql injection?

預處理語句如何防止 SQL 注入攻擊?

使用 PDO 的其他優(yōu)點/缺點是什么?

What are other pros/cons of using PDO?

最有趣的問題.
PDO 最大的缺點是:它被兜售和傳播銀彈，另一個崇拜的偶像.
雖然不了解它根本不會像任何其他工具一樣發(fā)揮作用.
PDO 有一些關鍵特性，比如

Most interesting question.
A greatest PDO disadvantage is: it is peddled and propagated a silver bullet, another idol to worship.
While without understanding it will do no good at all, like any other tool.
PDO has some key features like

• 數(shù)據(jù)庫抽象.這是一個神話，因為它不會改變 SQL 語法本身.而且您根本無法在 Postgre 中使用 mysql 自動增量 ID.更不用說切換數(shù)據(jù)庫驅動程序并不是開發(fā)人員經常做出的決定.
• 占位符支持、實現(xiàn)原生準備好的語句或模擬它們. 好的方法但非常有限.缺少必要的占位符類型，例如標識符或 SET 占位符.
• 一種無需編寫循環(huán)即可將所有記錄放入數(shù)組的輔助方法.只有一個.當您需要至少 4 個來讓您的工作變得明智且不那么無聊時.

• Database abstraction. It's a myth, as it doesn't alter the SQL syntax itself. And you simply can't use mysql autoincremented ids with Postgre. Not to mention the fact that switching database drivers is not among frequent developer's decisions.
• Placeholders support, implementing native prepared statements or emulating them. Good approach but very limited one. There are lack of necessary placeholder types, like identifier or SET placeholder.
• a helper method to get all the records into array without writing a loop. Only one. When you need at least 4 to make your work sensible and less boring.

使用 PDO 會降低效率嗎?

Does using PDO reduce efficiency?

再次強調，降低效率的不是 PDO，而是準備好的語句.這取決于數(shù)據(jù)庫服務器和您的應用程序之間的網絡延遲，但對于大多數(shù)實際情況，您可能認為它可以忽略不計.

Again, it is not PDO, but prepared statements that reduces efficiency. It depends on the network latency between the db server and your application but you may count it negligible for the most real world cases.

這篇關于PHP PDO 的prepared statements 如何防止sql注入?使用 PDO 的其他好處是什么?使用 PDO 會降低效率嗎?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！