在同一个查询中运行多个命令有什么不好
[英]What is the bad in running multiple commands in the same query
问题描述
I am using Sql-Server and Postgresql, usually when I need to run multiple commands, I open a new connection, and foreach needed query task I run a command (inserting 1000 rows, for example).
我正在使用 Sql-Server 和 Postgresql,通常当我需要运行多个命令时,我会打开一个新连接,然后为每个需要的查询任务运行一个命令(例如插入 1000 行)。
Is it bad if I run multiple query commands in a single command(queries separated by comma) vs previous behavior?如果我在单个命令(以逗号分隔的查询)中运行多个查询命令与以前的行为相比是否很糟糕?
1 个解决方案
解决方案1
0 已采纳 2020-10-15 21:00:52
Running multiple commands inside a single call (and being able to do it) makes you extremely vulnerable to SQL injections.在单个调用中运行多个命令(并且能够执行)使您极易受到 SQL 注入的攻击。 Any query, even a simple SELECT, becomes dangerous if somebody can append an UPDATE or DELETE statement afterwards.如果有人可以在之后附加UPDATE或DELETE语句,则任何查询,即使是简单的 SELECT,都会变得危险。 That's why many implementations (especially from PHP) simply inhibit the ability of submitting nested queries.这就是为什么许多实现(尤其是来自 PHP)只是禁止提交嵌套查询的能力。
On the other hand, as far as I know, there's almost no valid reason to do so.另一方面,据我所知,几乎没有正当理由这样做。 One usually maintains the connection open, then the overhead implied by the call itself is negligible.通常保持连接打开,那么调用本身隐含的开销可以忽略不计。
If what you seek is actually atomicity , then you want to try "transactions" instead ;如果您寻求的实际上是原子性,那么您想尝试“交易”;
If you worried about the complexity of your queries and don't want to make them be re-parsed at each time, you may take a look to "prepared statements" and stored procedures (or "functions" if you're using a recent version of PostGreSQL).如果您担心查询的复杂性并且不想每次都重新解析它们,您可以查看“准备好的语句”和存储过程(或“函数”,如果您使用的是最近的PostGreSQL 版本)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.