PHP PDO 的prepared statements 如何防止sql注入?使用 PDO 的其他好处是什么?使用 PDO 会降低效率吗?

2021-12-26 00:00:00 php pdo sql-injection

我一直在发现句子PHP PDO's Prepared statements prevent SQL injection.

  • php PDO(PDO 的预准备语句)如何防止 sql 注入?
  • 使用 PDO(PDO 的准备好的语句)的其他优点/缺点是什么?
  • 使用 PDO(PDO 的预准备语句)会降低效率吗?

我读过这个:PDO 准备好的语句是否足以防止 SQL 注入?但那里的数据并不完全清楚.

I have read this: Are PDO prepared statements sufficient to prevent SQL injection? But the data there is not completely clear.

推荐答案

乍一看,您的问题看起来更复杂,只需一个链接即可回答

Well, at second glance your question looks more complex to be answered with just one link

php pdo的prepared statement是如何防止sql注入的?

How does php pdo's prepared statements prevent sql injection?

预处理语句如何防止 SQL 注入攻击?

使用 PDO 的其他优点/缺点是什么?

What are other pros/cons of using PDO?

最有趣的问题.
PDO 最大的缺点是:它被兜售和传播银弹,另一个崇拜的偶像.
虽然不了解它根本不会像任何其他工具一样发挥作用.
PDO 有一些关键特性,比如

Most interesting question.
A greatest PDO disadvantage is: it is peddled and propagated a silver bullet, another idol to worship.
While without understanding it will do no good at all, like any other tool.
PDO has some key features like

  • 数据库抽象.这是一个神话,因为它不会改变 SQL 语法本身.而且您根本无法在 Postgre 中使用 mysql 自动增量 ID.更不用说切换数据库驱动程序并不是开发人员经常做出的决定.
  • 占位符支持、实现原生准备好的语句或模拟它们. 好的方法但非常有限.缺少必要的占位符类型,例如标识符或 SET 占位符.
  • 一种无需编写循环即可将所有记录放入数组的辅助方法.只有一个.当您需要至少 4 个来让您的工作变得明智且不那么无聊时.
  • Database abstraction. It's a myth, as it doesn't alter the SQL syntax itself. And you simply can't use mysql autoincremented ids with Postgre. Not to mention the fact that switching database drivers is not among frequent developer's decisions.
  • Placeholders support, implementing native prepared statements or emulating them. Good approach but very limited one. There are lack of necessary placeholder types, like identifier or SET placeholder.
  • a helper method to get all the records into array without writing a loop. Only one. When you need at least 4 to make your work sensible and less boring.

使用 PDO 会降低效率吗?

Does using PDO reduce efficiency?

再次强调,降低效率的不是 PDO,而是准备好的语句.这取决于数据库服务器和您的应用程序之间的网络延迟,但对于大多数实际情况,您可能认为它可以忽略不计.

Again, it is not PDO, but prepared statements that reduces efficiency. It depends on the network latency between the db server and your application but you may count it negligible for the most real world cases.

相关文章