当前位置: 文江博客话题详情

准备好的语句的最佳实践;什么时候该做,什么时候不该做

发布于 2024-09-12 13:49:17 字数 333 浏览 4 评论 0原文

我最近开始在 Web 应用程序中再次使用准备好的语句,并且我知道不鼓励对所有事务使用准备好的语句。我不知道什么时候最好使用准备好的语句。

我读过何时使用和不使用它们,但没有一个示例真正讲述了使用它们的最佳实践。

我试图弄清楚哪些数据库调用我应该使用它们,哪些数据库调用我不应该使用它们。

例如,MySQL 网站在下一页的“何时使用准备好的语句”中提到了它 准备语句-MySQL

原文

I recently have began using prepared statements again in a web application, and I know that it is discouraged to use prepared statements for all the transactions. What I do not know is when it is best to use prepared statements or not.

I have read of when to use and not use them, but none of the examples really tell best practice of using them.

I am trying to figure out which database calls I should be using them for and which ones I should not.

For Example the MySQL website mentions it in "When to use prepared statements" on the following page Prepared Statements-MySQL

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

陈年往事 2024-09-19 13:49:17

决定是否使用PreparedStatement 的一般经验法则是:

使用准备好的语句,除非您
有充分的理由不这样做。
编译准备好的语句
在执行之前因此借给
更好的性能,并增加
防止 SQL 注入的安全性
数据库服务器负责
特殊字符的编码。

根据您引用的文章,我认为准备语句不如普通查询或存储过程有用的原因列表如下:

  • 一次性查询。如果您的应用程序对数据库进行单个查询,并且与其他查询相比很少执行此操作,那么在这种情况下使用准备好的语句可能没有意义。基本原理是必须首先编译准备好的语句,并将该语句的“编译”形式缓存起来以供以后使用。对于不经常运行的查询,编译是一种开销。但仍然最好使用准备好的语句,以避免任何 SQL 注入问题。
  • 数据密集型操作。有时,准备好的语句不如存储过程有效,特别是当需要在同一事务中执行一系列操作时。当您的业务流程需要对各种表执行多次选择、更新和删除时,存储过程通常比一堆相继执行的准备好的语句更好。这种性能损失可能会变得严重,因为执行多个语句需要多次网络访问,而调用存储过程时这种性能损失会大大减少。这种效果在查询批处理中更为明显,其中在短时间内创建和销毁多个对象。这通常是数据库管理员和应用程序开发人员之间有争议的问题,因为这是一种边缘情况; DBA 会认为,通过 SP 更好地执行批处理操作,而应用程序开发人员则认为,PreparedStatements 可以处理它(通常最好将所有逻辑放在一层中)。最终归结为应用程序是否有使用 SP 的优势。
  • 支持本机数据库操作和类型。。这可能不适用于 MySQL,但一般来说 JDBC 标准并不支持数据库支持的所有操作,以及数据库支持的所有 SQL/本机/自定义类型。这在 Oracle 数据库(可能还有 IBM DB2?)中更为明显,程序员可以在其中创建自己的类型,这需要编写自定义 Java 代码,因为 JDBC 标准不支持数据库中的用户定义类型。类似地,数据库中的其他操作也不需要支持(如 MySQL 文档所述)——无法使用准备语句创建用户(执行 CREATE USER)、修改用户权限(执行 GRANT 操作)等。存储过程更适合此任务,因为它们可以直接或间接方式访问数据库的本机操作集。

The general thumb rule in deciding whether to go for a PreparedStatement or not is:

Use Prepared Statements, unless you
have sufficient reason not to.
Prepared Statements are compiled
before execution therefore lending to
better performance, and increased
security against SQL injection as the
database server takes care of the
encoding of special characters.

Going by the article that you have referenced, the list of reasons where I believe Prepared Statements are less useful than normal queries or stored procedures are:

  • One-time queries. If your application makes a single query to the database, and this is done infrequently compared to the other queries, it might not make sense to use a Prepared Statement in this case. The rationale is that the Prepared Statement must first be compiled and the 'compiled' form of the statement is cached for later use. For queries that are run infrequently, the compilation is an overhead. But still, it is preferable to use prepared statements, to avoid any SQL injection issues.
  • Data-intensive operations. Sometimes Prepared Statements are not as effective as stored procedures, especially when a sequence of operations need to be performed in the same transaction. When you have a business process that requires multiple selects, updates and deletes to be executed against a variety of tables, stored procedures are often better than a bunch of prepared statements executed one after the other. This performance penalty can turn serious as several network trips are made for the execution of multiple statements, which is considerably reduced when invoking a stored procedure. This effect is more pronounced in query batching where several objects are created and destroyed in a short duration of time. This often tends to be a contentious issue between database administrators and application developers, as this is an edge-case; DBAs will believe that the batching of operations is better performed via SPs, while application developers believe that PreparedStatements can handle it (its usually better to have all logic in one tier). It eventually boils down to the application on whether using SPs is an advantage or not.
  • Support for native database operations and types.. This might not hold good for MySQL, but in general the JDBC standard does not support all the operations supported by a database, and all the SQL/native/custom types supported by the database. This is more pronounced in the Oracle database (and possibly IBM DB2?), where programmers can create their own types, which require custom Java code to be written as the JDBC standard does not support User-Defined Types in the database. Similarly, other operations in the database need to not supported (as the MySQL document states) - one cannot create users (execute CREATE USER), modify user privileges (perform GRANT operations) etc. using a Prepared Statement. Stored procedures are better suited to this task, as they would have access to the native operation set of the database, either in a direct or indirect manner.
回复 原文
万水千山粽是情ミ 2024-09-19 13:49:17

为了防止 SQL 注入,最好在 Java 中使用准备好的语句

。有关更多信息:SQL 注入准备好的声明?

In order to prevent SQL Injection it is better to use prepared statements in Java

For more information: SQL injections with prepared statements?

回复 原文
你对谁都笑 2024-09-19 13:49:17

ReadyStatements 有两个主要用途:

  1. 防止 SQL 注入攻击。这基本上意味着自动清理来自外部源(Web 浏览器是外部的!)的输入,这些输入将保存到数据库。
  2. 批处理。如果您有大量数据需要一次输入/修改/删除数据库,则可以使用PreparedStatement。在这种情况下,PreparedStatement 优化了此类操作的大部分开销,并允许您编写快速的数据库批处理代码。

这两个原因都是非常令人信服的理由,几乎总是可以证明使用PreparedStatement是合理的,但是根据您使用数据库的方式,您可能会遇到PreparedStatement不允许您执行您想要的操作的情况。

作为这种情况的一个例子,我曾经编写过一个工具,它根据某些抽象的运行时属性动态生成表名,这意味着我必须能够使用可变表名进行 SQL 查询;你无法使用PreparedStatement 获得这些内容,因此我不得不使用原始语句和一些预处理技巧来重新利用PreparedStatement 进行SQL 注入保护。

PreparedStatements have two major uses:

  1. Preventing SQL injection attacks. This basically means automated sanitizing of inputs from external sources (web browser is external!) which are going to be saved to the database.
  2. Batch processing. If you have a lot of data to enter into/modify in/remove from database at once, PreparedStatement can be used for that. In this case, PreparedStatement optimizes away most of the overhead of such operations and allows you to write fast database batch code.

Both of these reasons are a very compelling ones to justify using PreparedStatement almost always, however depending on how you're using the database you may hit a point where PreparedStatement won't allow you to do what you want.

As an example of such case, I've once written a tool which generated table names on the fly based on runtime properties of certain abstractions which meant that I had to be able to have SQL queries with mutable table names; you can't get those with PreparedStatement so I had to use raw Statements and some preprocessing trickery to get back to utilizing PreparedStatements for SQL injection protection.

回复 原文
~没有更多了~

关于作者

少女的英雄梦

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

留蓝

文章 0 评论 0

18790681156

文章 0 评论 0

zach7772

文章 0 评论 0

Wini

文章 0 评论 0

ayeshaaroy

文章 0 评论 0

初雪

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文