PDO准备在where子句中具有多个条件的语句
[英]PDO Prepared Statements with multiple conditions in where clause
问题描述
If I'm using PDO prepared statements, and I have a query like this: 
如果我正在使用PDO预处理语句,并且我有这样的查询:
SELECT cat_name, cat_id_PK, cat_amount
FROM categories
WHERE month=? AND is_recurring = '0'
ORDER BY cat_name ASC;
$results->bindValue(1, $cur_month);
Should I also be binding the value of the is_recurring clause? 我是否还应该绑定is_recurring子句的值? The '0' is hard-coded in, and I don't think it would leave me vulnerable to SQL injection, but I wanted to ask to be sure. '0'是硬编码的,我不认为它会让我容易受到SQL注入的影响,但我想要确定。 I noticed in a tutorial I was looking at that they did bind the value even though it wasn't a variable being passed, which made me wonder if I was doing it right. 我注意到在一个教程中我看到他们确实绑定了值,即使它不是传递的变量,这让我想知道我是否做得对。
2 个解决方案
解决方案1
1 2013-12-13 01:26:02
No, in this situation binding is not necessary. 不,在这种情况下,绑定不是必需的。 As stated by PHP.net , prepared statements serve two purposes: 正如PHP.net所述 ,准备好的语句有两个目的:
- the query only needs to be parsed once, and therefore runs faster 查询只需要解析一次,因此运行得更快
- they prevent SQL injection 他们阻止SQL注入
Since you are hardcoding that value in the query, both are not applicable. 由于您在查询中对该值进行了硬编码,因此两者都不适用。 The query stays the same, so it only has to be compiled once. 查询保持不变,因此只需编译一次。 And there is no user input pasted into the query, so SQL injection is impossible. 并且没有用户输入粘贴到查询中,因此SQL注入是不可能的。 (as long as you do bind the other value, of course) (只要你做绑定其他的价值,当然)
Conclusion: You don't have to bind the 0 , because it's not variable. 结论:您不必绑定0 ,因为它不是变量。
解决方案2
1 已采纳
在这种情况下,绑定不是必需的,它不是变量。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.