[英]what is the best way to call data from MySQL with speed and security in mind?
can some one provided some suggestions of constructing MySQL querys that are both fast as well as secure. 有人可以提供一些建议来构造既快速又安全的MySQL查询。
Currently I am using typical MySQL calling method 目前,我正在使用典型的MySQL调用方法
$q = ("...");
$r = mysql_query($q);
but I was looking into OOP database programming so I am wondering which method would be the best to use and implemend on multiple pages with security and speed in mind. 但是我一直在研究OOP数据库编程,因此我想知道哪种方法最适合在多页上使用和实现,同时考虑到安全性和速度。
The best way without much effort would be to use PHP PDO [PHP Data Object] extension. 无需花费太多精力的最佳方法就是使用PHP PDO [PHP数据对象]扩展。 Here is the manual for it:
这是它的手册:
http://php.net/manual/en/book.pdo.php http://php.net/manual/zh/book.pdo.php
Example: 例:
<?php
/* Execute a prepared statement by binding PHP variables */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour');
$sth->bindParam(':calories', $calories, PDO::PARAM_INT);
$sth->bindParam(':colour', $colour, PDO::PARAM_STR, 12);
$sth->execute();
?>
You should learn the idea of "prepared statements" - it really improves security compared to mysql_query() way. 您应该学习“准备语句”的思想-与mysql_query()相比,它确实提高了安全性。
For security purposes, always use database parameters instead of putting what the user provides directly in the query. 为了安全起见,请始终使用数据库参数,而不要将用户提供的内容直接放入查询中。 You can do this by either using the mysqli_ family of functions or the PDO object.
您可以使用mysqli_系列函数或PDO对象来完成此操作。
For speed, you should just try to optimize your queries as much as possible as well as try to do as few queries as needed because each hit to the database will slow down your application. 为了提高速度,您应该尝试尽可能地优化查询,并尝试根据需要执行尽可能少的查询,因为对数据库的每次命中都会降低应用程序的速度。
The mysqlnd
library included in PHP >= 5.3 is faster than the original mysql
and mysqli
libraries. PHP> = 5.3中包含的
mysqlnd
库比原始的mysql
和mysqli
库要快。
Security is a much bigger ball of wax, but the general principle to keep in mind is not to ever trust or assume that user-generated data is safe. 安全性是一个更大的难题,但是要牢记的一般原则是永远不要信任或假设用户生成的数据是安全的。 Use the string escape functions on strings;
在字符串上使用字符串转义函数; make sure things you expect to be ints or floats are typecasted as such.
确保将您期望为整型或浮点型的内容按类型转换。
It is hard to combine most important features in one think in general, PDO provide data-access abstraction layer, so you write once and use your script with different database server's, however, PDO not mush faster then MySQLi as the benchmark here show, but its provide many other features, query cache, prepared statement, and support most known databases server. 通常,很难将最重要的功能结合在一起,PDO提供了数据访问抽象层,因此您只需编写一次并在不同数据库服务器的脚本中使用脚本,但是,PDO的速度并不比MySQLi更快,如此处所示。它提供许多其他功能,查询缓存,准备好的语句,并支持大多数已知的数据库服务器。
If you really looking for OOP database abstraction layer then use PDO, easy to use, fast to learn. 如果您真的在寻找OOP数据库抽象层,那么请使用PDO,它易于使用,学习迅速。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.