SQL 参数化与转义
如果您选择的语言/数据库有一个内置函数来转义用户输入(例如 mysql_real_escape_string),那么 SQL 参数化的参数是什么? mysql_real_escape_string 是否有可能在某些时候使应用程序容易受到攻击?
我使用参数化是因为我被告知/已经读到这是更好的方法,但我不想盲目跟随。有什么见解吗?谢谢!
If your language/database of choice has a built-in function to escape user-input, (for instance, mysql_real_escape_string) what are the arguments for SQL parameterization? Is it possible that mysql_real_escape_string might, at some point, leave an application vulnerable?
I use parameterization because I've been told / have read it's the better way to go, but I don't just want to follow blindly. Any insight? Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
参数化的论据是性能。
如果您要多次执行以下句子:
最好使用参数,因为查询将仅被评估(解析、计划分析和计算)一次,并且将被执行多次。
Arguments for parameterization is performance.
If you are going to execute the following sentence several times:
It's better to use parameters since the query is going to be evaluated only (parsed, plan analysis and computation) once, and will be executed many times.