問題描述

有人告訴我，我最好使用 PDO 進行 MySQL 轉義，而不是 mysql_real_escape_string.

I've been told that I'd be better using PDO for MySQL escaping, rather than mysql_real_escape_string.

也許我正在度過一個腦殘的一天(或者可能是因為我絕對不是一個天生的程序員，而且我在 PHP 方面仍然處于新手階段)，但是已經查看了 PHP 手冊并閱讀了 有關 PDO 的條目，我仍然不清楚 PDO 究竟是什么以及為什么它比使用 mysql_real_escape_string 更好.這可能是因為我還沒有真正掌握 OOP 的復雜性(我假設它與 OOP 有關)，但除了變量和數組值似乎在它們前面有一個冒號這一事實之外，我仍然不確定它到底是什么以及你如何使用它(以及為什么它比 mysql_real_escape_string 更好.(這也可能與我并沒有真正清楚的事實有關)理解什么是類"，所以當我讀到PDO 類"時，我真的一點也不聰明).

Maybe I'm having a brain-dead day (or it may be the fact I'm by no stretch of the imagination a natural programmer, and I'm still very much at the newbie stage when it comes to PHP), but having checked out the PHP manual and read the entry on PDO, I'm still no clearer as to what PDO actually is and why it's better than using mysql_real_escape_string. This may be because I've not really got to grips with the complexities of OOP yet (I'm assuming it's something to do with OOP), but other than the fact that variables and array values seem to have a colon infront of them, I'm still not sure what it actually is and how you use it (and why it's better than mysql_real_escape_string. (It also may have something to do with the fact that I don't really have a clear understanding of what 'classes' are, so when I read "PDO class" I'm none the wiser really).

已閱讀關于開發人員"的一兩篇文章MySQL網站的Zone'位，我仍然不清楚.由于目前我什至無法弄清楚它是什么，我認為現在使用它可能有點超出我的范圍，但我仍然有興趣擴大我的教育范圍并找出我可以改進的方法.

Having read an article or two on the 'Developer Zone' bit of the MySQL website, I'm still no clearer. As I can't even figure out what it is at the moment, I think probably using it is a bit beyond me right now, but I'm still interested in broadening my education and finding out how I could improve things.

誰能用簡單的英語"向我解釋什么是 PDO(或為我指明用簡單英語編寫的主題方向)，以及您將如何使用它?

Could anyone explain to me in 'plain English' what PDO is (or point me in the direction of something on the subject written in plain English), and how you'd go about using it?

推薦答案

由于當前的答案進入了詳細信息，而您的問題更側重于總體概述，我會嘗試一下:

As the current answers go into details while your question is more aimed at a general overview, I'll give it a try:

PDO 類旨在封裝與數據庫交互所需的所有功能.他們通過定義方法"(函數的 OO 客廳)和屬性"(變量的 OO 客廳)來做到這一點.您可以將它們用作完全替代您現在用于與數據庫對話的所有標準"函數.

The PDO classes aim to encapsulate all the functionality needed to interact with a database. They do this by defining 'methods' (OO parlor for functions) and 'properties' (OO parlor for variables). You'd use them as a complete replacement for all the 'standard' functions you are using now for talking to a database.

因此，與其調用一系列 'mysql_doSomething()' 函數，將它們的結果存儲在您自己的變量中，您可以從 PDO 類中實例化"一個對象('class' = 抽象定義，'object' = 具體，類的可用實例)并調用該對象上的方法來執行相同的操作.

So instead of calling a series of the 'mysql_doSomething()' functions, storing their results in your own variables, you would 'instantiate' an object from the PDO class ('class' = abstract definition, 'object' = concrete, usable instance of a class) and call methods on that object to do the same.

舉個例子，如果沒有 PDO，你會做這樣的事情:

As an example, without PDO, you'd do something like this:

// Get a db connection
$connection = mysql_connect('someHost/someDB', 'userName', 'password');
// Prepare a query
$query = "SELECT * FROM someTable WHERE something = " . mysql_real_escape_string($comparison) . "'";
// Issue a query
$db_result = mysql_query($query);
// Fetch the results
$results = array();
while ($row = mysql_fetch_array($db_result)) {
  $results[] = $row;
}

雖然這與使用 PDO 是等效的:

while this would be the equivalent using PDO:

// Instantiate new PDO object (will create connection on the fly)
$db = new PDO('mysql:dbname=someDB;host=someHost');
// Prepare a query (will escape on the fly)
$statement = $db->prepare('SELECT * FROM someTable WHERE something = :comparison');
// $statement is now a PDOStatement object, with its own methods to use it, e.g.
// execute the query, passing in the parameters to replace
$statement->execute(array(':comparison' => $comparison));
// fetch results as array
$results = $statement->fetchAll();

所以乍一看，除了語法之外，沒有太大區別.但是 PDO 版本有一些優點，最大的一個是數據庫獨立性:

So on first glance, there is not much difference, except in syntax. But the PDO version has some advantages, the biggest one being database independence:

如果您需要與 PostgreSQL 數據庫對話，您只需在實例化調用 new PDO()<中將 mysql: 更改為 pgsql:/代碼>.使用舊方法，您必須遍歷所有代碼，將所有 'mysql_doSomething()' 函數替換為其對應的 'pg_doSomthing()' 函數(始終檢查參數處理中的潛在差異).許多其他受支持的數據庫引擎也是如此.