从mysql_query转换为准备好的语句(mysqli / PDO)? 必要?
[英]Converting from mysql_query's to prepared statements (mysqli/PDO)? Necessary?
问题描述
I have been learning PHP and MySQL over the last few weeks, and I'm just now hearing about prepared statements and PDO/mysqli. 
在过去的几周里,我一直在学习PHP和MySQL,而我现在刚听到有关准备好的语句和PDO / mysqli的信息。 I did some reading and people are saying that stuff like: 我读了一些书,有人说:
$getFromDatabase = mysql_query("SELECT * FROM table WHERE userid='$id'");
while($row = mysql_fetch_assoc($getFromDatabase)){
stuff();
}
...won't work anymore. ...将不再工作。 I use stuff like that pretty frequently in my code. 我在代码中经常使用类似的东西。 I also am reading a lot about how prepared statements are much better protection against injection. 我还阅读了很多有关准备好的语句如何更好地防止注入的信息。 I've got a thorough understanding of how it is better, but is it so much better that it's worth switching away from mysql_real_escape_string()? 我对它的更好之处有透彻的了解,但是它好得多了,值得从mysql_real_escape_string()切换过来吗? Is it necessary to switch to Mysqli or PDO? 是否需要切换到Mysqli或PDO? In what situation could mysql_real_escape_string() be bypassed where a prepared statement couldn't? 在什么情况下可以绕过mysql_real_escape_string()的地方?
1 个解决方案
解决方案1
7 已采纳 2012-08-29 01:35:14
It's necessary because mysql_query is, in software terms, an ancient artifact. 这是必要的,因为从软件角度来讲, mysql_query是一个古老的工件。 It's the Model T of MySQL database interfaces, clunky, unreliable, and downright dangerous if not used exactly as you should. 这是福特T型车的MySQL数据库接口,笨重,不可靠,而且非常危险,如果你不能准确使用。 If you're not extremely careful you will make a mistake, and even a tiny mistake will not go un-noticed if someone uses an automatic SQL injection bug detection tool on your site. 如果您不太谨慎,那么您将犯错,并且即使有人在您的站点上使用自动SQL注入漏洞检测工具 ,也不会引起微小的错误。
Basically you're living on borrowed time with mysql_query . 基本上,您是靠mysql_query 。
If you use mysqli or PDO and are diligent about using placeholders then the risk of a SQL injection bug is very low. 如果您使用mysqli或PDO并努力使用占位符,则SQL注入错误的风险非常低。 It may take about half an hour to figure out how to convert your old code to these new methods, there really isn't a steep learning curve, and that knowledge will save you a lot of trouble in the future. 可能需要大约半小时的时间才能弄清楚如何将旧代码转换为这些新方法,实际上并没有那么陡峭的学习曲线,而且这种知识将来会为您节省很多麻烦。 Converting existing code usually isn't too big a deal if you use mysqli and basic placeholders. 如果使用mysqli和基本占位符,则转换现有代码通常没什么大不了的。 I bet you even find some serious bugs while patching things up. 我敢打赌,在修补问题时,您甚至还会发现一些严重的错误。
In terms of benefits, you won't need to make any mysql_real_escape_string calls, you can just use bind_param , and you won't have to worry about missing an escape on one of your variables. 就好处而言,您无需进行任何mysql_real_escape_string调用,只需使用bind_param ,而且您不必担心会丢失其中一个变量的转义。 It's actually a lot less work in the long-run. 从长远来看,实际上要少很多工作。
Additionally, using ? 此外,使用? or a named placeholder like :id makes your queries significantly easier to read, debug and maintain. 或诸如:id类的命名占位符可以使您的查询明显更易于阅读,调试和维护。 Further, you can use the same statement repeatedly and bind different values to it, ultimately making your application faster. 此外,您可以重复使用同一条语句并将不同的值绑定到该语句,最终使您的应用程序更快。
It is possible to write safe code with mysql_query but why would you? 可以使用mysql_query编写安全的代码,但是为什么呢? The interface is listed as deprecated, which is the preliminary stage to it being removed from PHP entirely. 该接口被列为已弃用,这是从PHP完全删除该接口的初步阶段。 If you want a future-proof application, it's best to use one of the supported interfaces. 如果您想要面向未来的应用程序,则最好使用受支持的接口之一。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.