PHP-MySQL 中 SELECT 的参数值编码
下面的 Alt A 是来自 php-mysql 教程的语句。 它按其应有的方式工作。
我发现 id 值相当混乱并测试了 alt B。这也有效!
alt A 的 id 值有什么意义?
MySQL 5.0.51、PHP 5.2.6
// Alt A :
$sql = "SELECT * FROM example WHERE id = '".$q."'";
// Alt B :
$sql = "SELECT * FROM example WHERE id = $q";
Alt A below is a statement from a php-mysql tutorial. It works as it should.
I found the id-value rather obfuscated and tested alt B. This also worked!
What is the point with the id-value of alt A?
MySQL 5.0.51, PHP 5.2.6
// Alt A :
$sql = "SELECT * FROM example WHERE id = '".$q."'";
// Alt B :
$sql = "SELECT * FROM example WHERE id = $q";
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
这只是从静态数据和可变数据构建字符串的两种不同方法。
替代方案 A 使用串联,或使用串联运算符连接字符串和变量标记。
替代方案 B 使用变量扩展,其中双引号分隔字符串内的变量在计算时扩展为它们的值。
两者都不一定更好或首选,但例如,如果您必须使用单引号分隔的字符串,那么您将需要使用替代方案 A。
当然,这些都比构建 SQL 更可取使用绑定参数进行查询,因为不这样做会使您容易受到 SQL 注入攻击。
This are just two different approaches to building a string from static and variable data.
Alternative A uses concatenation, or the joining of string and variable tokens using the concatenation operator.
Alternative B uses variable expansion, wherein the variables inside a double-quote-delimited string are expanded to their values at evaluation time.
Neither is necessarily better or preferred, but if you have to have single-quote-delimited strings, for example, then you would need to use alternative A.
Of course, neither of these is preferable to building SQL queries with bound parameters, as not doing so leaves you vulnerable to SQL injection attacks.
使用“Alt A”中的示例有两个原因。 首先,如果字符串用单引号 '' 括起来,则字符串中将使用变量的名称而不是其值。
其次,将字符串与函数调用的结果组合起来很有用。
Theres two reasons to use the example in 'Alt A'. First is if the string is enclosed in single quotes '', the variable's name will be used in the string instead of it's value.
Secondly, it's useful to combine strings with the results of a function call.
除了已经说过的内容之外,我发现最好的做法是,如果我正在编写查询,请按如下方式编写:
$sql = "SELECT * FROM table WHERE uid=" 。 $uid . “限制1”;
像这样编写 SQL 的原因是 1. MySQL 查询不必解析查询中的 PHP 变量,2. 您现在可以轻松读取和管理查询。
Outside of what has already been said I've found it best practice, if I'm writing a query, to write it as so:
$sql = "SELECT * FROM table WHERE uid=" . $uid . " LIMIT 1";
The reason for writing SQL like this is that 1. MySQL query doesn't have to parse the PHP variables in the Query and 2 you now easily read and manage the query.
当PHP与MySQL通信时,实际上(本质上)是两种语言在相互通信。 这意味着字符串在发送到另一种语言之前将由第一种语言处理。 这也意味着考虑接收语言非常重要
在这种情况下:
您告诉 MySQL
“SELECT * FROM example1 WHERE id = some_name。
在这种情况下:
在这种情况下:
您告诉 MySQL
“从 example1 中选择 *,其中 id = 'some_name'。
第一个示例应该会导致错误,因为 some_name 不是 MySQL 查询的有效部分(在该上下文中)。 另一方面,接下来的两个将正常工作,因为 MySQL 将查找字符串“some_name”。
When PHP communicates with MySQL, it is actually (in essence) two languages communicating with each other. This means that a string will be processed by the first language before being sent to the other. It also means that it is important to think in terms of the receiving language
In this case:
you are telling MySQL to
"SELECT * FROM example1 WHERE id = some_name.
In this case:
and this case:
you are telling MySQL to
"SELECT * FROM example1 WHERE id = 'some_name'.
The first example should cause an error as some_name is not a valid part of a MySQL query (in that context). On the other hand, the next two will work fine, because MySQL will look for the String "some_name".
您也可以这样做:
这对于引发以下事情很有用:
You can also do this:
which is useful for setting off things like:
在 'alt B' 中,$q 必须是 int 或 float 或其他数字。
在 'alt A' 中,$q 可以是任何字符串、int 等。
单引号使之成为可能。 如果你是第一次看的话,有时很难看清。
in 'alt B', $q must be an int or float or other numeric
in 'alt A', $q can be anything a string, int, etc.
The single quote makes that possible. It's just hard to see sometimes if you are looking at it for the first time.