bindValue() 和 bindParam() 之间的混淆?
我混淆了这两个函数 Bindvalue() 和 BindParam()
I am confuse between these two functions Bindvalue() and BindParam()
- 我在 php.net 上看到它不会转义
%和_,所以在使用LIKE时要小心.所以我认为当我们使用 LIKE 查询时不使用BindValue(). - 当我们使用
LIKE查询BindParam()被使用.因为据我所知 BindParam 可以转义这些%和_. BindValue()不提供针对 sql 注入的保护.我不确定这一点,是真的吗?
- I read on php.net it does not escape
%and_, so be careful when usingLIKE. So i thinkBindValue()is not used when we are using LIKE query. - when we using
LIKEqueryBindParam()is used. Because as i know BindParam can escape these%and_. BindValue()doesn't gives protection against sql injection. I am not sure about this, is it true?
朋友们说说我在这3点中所说的对与错.我是 PDO 的初学者,所以请解释清楚..
friends tell what i mention in these 3 points is right or wrong. i am beginner in PDO so please explain it clearly ..
推荐答案
值的转义方式和不转义方式应该没有区别.bindParam 与 bindValue 的不同之处在于它引用变量,仅在执行语句时绑定值.bindValue 立即获取 value.举例说明:
There should be no difference in how values are escaped or not escaped. bindParam differs from bindValue in that it references the variable, binding the value only when you execute the statement. bindValue takes the value immediately. To illustrate:
$stmt = $db->prepare('SELECT * FROM `table` WHERE foo = :foo');
$foo = 'foo';
$stmt->bindValue(':foo', $foo);
$foo = 'bar';
$stmt->execute();
上面的执行类似于 SELECT * FROM table WHERE foo = 'foo';
$stmt = $db->prepare('SELECT * FROM `table` WHERE foo = :foo');
$foo = 'foo';
$stmt->bindParam(':foo', $foo);
$foo = 'bar';
$stmt->execute()
上面的执行类似于 SELECT * FROM table WHERE foo = 'bar'.
确实没有将_或%当成特殊字符,因为一般来说,就语法而言,它们不是特殊字符,数据库驱动程序无法分析上下文来确定您是 mean % 是通配符还是 LIKE<上下文中的实际字符%"/code> 查询.
It's true that neither cares about _ or % as special characters, because generally speaking they aren't special characters as far as the syntax is concerned, and the database driver is not able to analyze the context to figure out whether you mean % to be a wildcard or the actual character "%" in the context of a LIKE query.
两者都可以防止 SQL 注入.
Both protect against SQL injection.
相关文章