[英]PHP/mysql: Is changing (SELECT, {resource}) to ({resource}, SELECT) a viable temporary patch for mysql_* to mysqli_*?
On first inspection of the differences in application of the mysql*() and mysqli*() families of functions, it appears to me that 在首先检查mysql *()和mysqli *()函数系列在应用方面的差异时,在我看来
$seta = mysql_query("SELECT * FROM table WHERE field = $Filter", $database);
Can be rapidly replaced with: 可以快速替换为:
$seta = mysqli_query($database, "SELECT * FROM table WHERE field = $Filter");
Similarly, it also appears that 同样,似乎
IF ($A = mysql_fetch_array($seta)) {
do {
//code here
} while ($A = mysql_fetch_array($seta));
}
Could be replaced with: 可以替换为:
IF ($A = mysqli_fetch_array($seta)) {
do {
//code here
} while ($A = mysqli_fetch_array($seta));
}
Will this work the way I am expecting it to? 可以按照我期望的方式工作吗? As it worked before mysqli*()? 因为它在mysqli *()之前工作了?
PLEASE NOTE : I am not asking if I SHOULD do this, only if I CAN do this. 请注意 :我不是问我是否应该这样做,只要我能做到这一点。 I know full well that slapping a band-aid on a broken leg is useless... That said, I don't have that many hours of coding/testing time before the Demo in March this is being prepped for. 我完全知道,将创可贴打在一条断腿上是没有用的……也就是说,在准备三月份的演示之前,我没有太多的编码/测试时间。
Yes, I understand the this is vulnerable code. 是的,我知道这是易受攻击的代码。 I won't go to production without safeguards. 没有保障,我不会投产。 I also realize that I am not using all the power of the mysqli*() family of functions this way. 我也意识到我并没有以这种方式使用mysqli *()系列函数的全部功能。
My goal is to refactor everything properly when there isn't such a heavy time crunch (Yes, I know, famous last programmer words). 我的目标是在没有这么长的时间紧缩的情况下正确地重构所有内容(是的,我知道,程序员的最后一句话很著名)。 I just need the patched code to run for a Demo then I can retire it. 我只需要运行修补程序的代码即可运行Demo,然后可以将其停用。
I have high hopes that with a working prototype -- both in situ and on a server I'm spinning up just to demonstrate the need for software updates -- I'll be able to leave the PHP v4.x blues behind. 我寄希望于有了一个可以运行的原型,无论是在现场还是在服务器上,我都在不断旋转,以证明对软件更新的需求。我将能够将PHP v4.x抛在脑后。
Project: 项目:
PHP/MySQL better user searching PHP / MySQL更好的用户搜索
Also checked: 还检查了:
How to upgrade from mysql* to mysqli*? 如何从mysql *升级到mysqli *?
PHP Migrating from mysql* to mysqli PHP从mysql *迁移到mysqli
Above titles were trimed of underscores to prevent formatting 上面的标题被删去了下划线以防止格式化
The quick and dirty method, with emphasis on dirty , is to do it this way by converting mysql_query
to mysqli_query
and so on. 快速且肮脏的方法(着重于dirty )是通过将mysql_query
转换为mysqli_query
等来实现的。 The problem is mysql_query
is really clunky to use so preserving that coding style is not going to help clean anything up. 问题是mysql_query
使用起来确实很笨拙,因此保留编码风格不会帮助清理任何内容。
Although I'd strongly recommend switching to PDO, it's a more flexible and capable database layer, if you want mysqli
then what you want to do is employ parameterized queries and bind_param
to add user data to your query. 尽管我强烈建议切换到PDO,但它是一个更灵活,功能更强大的数据库层,如果您要使用mysqli
, bind_param
使用参数化查询和bind_param
将用户数据添加到查询中。 This solves the vast majority of SQL injection bugs out of the gate. 这解决了绝大多数SQL注入错误 。 I'd also suggest using the object-oriented interface so your updated code is obvious. 我还建议您使用面向对象的界面,这样您的更新代码就显而易见了。 The difference of a single i
can be easy to overlook, plus it's typically less verbose. 单身i
的区别很容易被忽略,而且它的冗长程度通常较低。
In other words, your replaced code looks like: 换句话说,您替换的代码如下所示:
$stmt = $database->prepare("SELECT * FROM table WHERE field=?");
$stmt->bind_param('s', $filter);
$res = $stmt->execute();
If you're disciplined about doing this you should catch all your SQL mistakes. 如果您受此约束,则应该捕获所有SQL错误。
PDO is nicer because of named parameters: 由于命名参数的缘故,PDO更好:
$stmt = $database->prepare("SELECT * FROM table WHERE field=:filter");
$res = $stmt->execute(array('filter' => $filter));
That usually means less code in the long-run. 从长远来看,这通常意味着更少的代码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.