MySQL、MySQLi、MySQL 准备语句还是 PDO?
在过去的几天里,我一直在关注许多有关与数据库交互的不同方式的教程。像旧的 MySQL 方式、MySQLi、MySQL 准备语句、PHP 的 PDO 等。
我仍然是编程的新手,因为我学习和开始编码还不到一年。我有时会付出很多努力来改进我的代码并遵守网络开发人员定义的标准。现在是我觉得我需要改变使用旧的 MySQL 方式(如 mysql_connect() 和 mysql_query())与数据库交互的方式的时候了。
我的生产机器上有以下配置。
- 安装了 MAMP 的 Mac OSX 10.6
- PHP 版本:5.2.13
- MySQL 客户端版本:5.1.44
您认为我应该使用什么来访问数据库,为什么?
- MySQL
- MySQLi
- MySQL 准备语句
- PDO
from the past few days i have been following a lot of tutorials regarding different ways to interact with database. like the old MySQL way, MySQLi, MySQL prepared statement, PHP's PDO etc.
i am still a new comer to the programming as it has been hardly 1 year since i learned and started coding. from time to time i have made lot of efforts on improving my codes and adhere to the standards as defined by the web developers. and now is the time i feel i change the way i am used to interact with the database using old MySQL way like mysql_connect() and mysql_query().
I have following configuration on my production machine.
- Mac OSX 10.6 with MAMP installed
- PHP version : 5.2.13
- MySQL client version: 5.1.44
what do you think i should be using for database access and why?
- MySQL
- MySQLi
- MySQL Prepared Statement
- PDO
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
这使得我们只有两个可能的选择
MySQL Prepared Statementis an SQL implementation, I find it hardly usable in PHPwhich leaves us only two possible choices
这实际上取决于你在做什么。
如果您正在执行大量都使用准备好的语句的大量查询,准备好的语句(通过 mysqli 或 PDO)可能会很有用。准备好的语句速度更快,此外,您不必担心使用准备好的语句转义数据之类的事情,但它们需要一些代码开销,因此对于一个简单的应用程序,有时不值得使用准备好的语句,并且使用旧的 mysql_* 函数更容易达到预期目的。
It really depends on what you are doing.
Prepared statements (via mysqli or PDO) can be useful if you are doing lots of high volume queries that all use the prepared statement. The prepared statements are faster, additionally you don't have to worry about things like escaping data with prepared statements but they take a bit of code overhead so for a simple app sometimes it's not worth using prepared statements and using the old mysql_* functions are easier for the intended purpose.
与直接使用 MySQLi 相比,PDO for MySQL 有几个主要优点。
?) 占位符之外,PDO 中的预准备语句还支持命名占位符。LIMIT这是记录的。 ,并且有一个功能请求将此转换更改为字符串 .)将第 2 条到第 4 条结合起来,可以更轻松地以可证明注入安全的方式表达运算符
IN的右侧。使用 PDO,您可以构建具有顺序名称的关联数组(例如[':likeval0'=>$val0、':likeval1'=>$val1、':likeval2'=>$val2])然后在该数组的右侧安全地构建一个占位符列表。代码可能如下所示:MySQLi 仅支持
?占位符和通过变量参数函数调用进行一次性绑定。在 MySQLi 中,通过对列表中的每个元素使用$dbh->escape_string()来构造运算符IN的右侧实际上要容易得多。如果经过充分测试,这种方法对于 SQL 注入是安全的,但会引起一些“Bobby Tables”参数化纯粹主义者。PDO for MySQL has several major advantages over directly using MySQLi.
?) placeholders that MySQLi supports.call_user_func_array()black magic.$stmt->execute(), where each key's value is bound to the placeholder as the key. (Caveat: It casts each value to a string, so you have to bind one at a time if your statement has a variableLIMIT. This is documented, and there's a feature request to change this casting to string.)Items 2 through 4 combine to make it much easier to express the right side of operator
INin a provably injection-safe manner. With PDO, you can build an associative array with sequential names (such as[':likeval0'=>$val0, ':likeval1'=>$val1, ':likeval2'=>$val2])and then safely build a placeholder list on the right side out of that array. Code might look like this:MySQLi supports only
?placeholders and all-at-once binding through a variable argument function call. In MySQLi, constructing the right side of operatorINis actually a lot easier by using$dbh->escape_string()for each element in a list. This approach is safe against SQL injection if well tested but raises red flags with some "Bobby Tables" parameterization purists.