使用准备好的mysql语句进行一个查询是否值得?
[英]Is it worth it using a prepared mysql statement for one query?
问题描述
If I have a simple prepared query like this: 
如果我有一个简单的准备好的查询,例如:
$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email) VALUES (?, ?, ?)");
$stmt->bind_param("sss", $firstname, $lastname, $email);
// set parameters and execute
$firstname = "John";
$lastname = "Doe";
$email = "john@example.com";
$stmt->execute();
And I only execute the query once during the lifetime of the page. 而且我在页面的生存期内只执行一次查询。
Is it worth it using a prepared mysql statements for queries like that? 使用准备好的mysql语句进行类似查询是否值得?
1 个解决方案
解决方案1
1 已采纳 2018-01-24 08:41:14
What you want most of all here is the security of parameterised queries. 您最需要的是参数化查询的安全性。 The API to do parameterised queries happens to be the same as the one for prepared statements. 用于执行参数化查询的API恰好与用于准备好的语句的API相同。 Or in other words, the API that enables the separation of the query structure from the submission of the values kills two birds with one stone: 换句话说,使查询结构与值提交分离的API可以杀死两只鸟,只用一块石头就可以杀死它们:
- Safe transfer of arbitrary values to the database engine. 安全地将任意值传输到数据库引擎。
- Reusability of already parsed queries. 已解析查询的可重用性。
It's worth it if you're just using one of them, you don't need to use both aspects at the same time to justify the use of the prepare API. 如果只使用其中之一,那是值得的,不需要同时使用这两个方面来证明使用prepare API的合理性。
The alternative of manually escaping values is always more error prone and verbose. 手动转义值的替代方法总是更容易出错和冗长。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.