PDO / 准备语句之间的区别 - PHP/MySQL
我尝试 Google 寻找任何缺点,但没有发现任何缺点!
如果有人分享有关此主题的内容,我会很高兴!
PDO 和准备好的语句的优点/缺点
编辑 2:
我想每个人都想说 准备语句 比 PDO 更好?
我说得对吗?
I tried Google to find any disadvantage but did not find any !
I'll be glad if anyone share some thing on this topic !
Advantage/ disadvantage of PDO and Prepared Statement
Edit 2 :
I think everyone want to say Prepared Statement is better than PDO ?
Am i right ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
PDO 的主要缺点是它需要更多的查询时间(我无法“证明”这一点,所以不要将其视为我注意到/读到的事实),这远少于一秒。但是,如果您需要额外的更少,那么第二个
mysqli提供了像PDO这样的准备好的语句,并且我相信,考虑到它是为一个数据库而不是多个数据库设置的,工作速度会更快一些。这是更多的代码,但正如 nikic 所说,使用包装类来设置您的语句,以便您的代码看起来像这样:
其中
fetchAll是您编写的用于处理参数绑定等的自定义函数。我会用哪个?
mysqli或PDO(PDO 是因为它个人的多功能性)。MySQL(不是mysqli)有点过时了,最后你可能会使用MySQL编写更多的代码,因为你总是有在将输入放入数据库之前过滤输入(就像转义以防止 SQL 注入一样,它不会验证应该放入其中的内容)。使用准备好的语句,过滤已经为您完成,只要使用得当,注入的机会就非常低。The major disadvantage to PDO will be it takes a bit more querying time (I cannot "prove" this so don't take it as fact just what I have noticed / read), which is well less then a second. But if you need that extra less then a second
mysqlioffers prepared statements likePDOand I believe works a bit quicker given it is set for one database and not many.It is more code, but as nikic stated, use a wrapper class to setup your statements so your code can look something like:
Where
fetchAllis a custom function you write to handle the binding of the params etc.Which would I use?
mysqliorPDO(PDO due to its versatility personally).MySQL(notmysqli) is kind of outdated, and in the end you could be writing a lot more code usingMySQLin that you always have to filter the input (as in escape to prevent SQL injections, it will not validate what should be put in there) before putting it into the database. Using prepared statements, the filtering is all done for you and the chance for an Injection is very low as long as it is used properly.准备好的语句真正的一大优点是传递给 ? 的参数。检查有效性。所以 SQL 注入攻击比你创建这样的 sql 更难,
就好像 somecone 可以设置在表单中输入以下内容
那么你可能会遇到麻烦
The real big advantage of prepared statements is that the parameters passed in to the ? are checked for validity. So SQL injection attacks are harder than if you create your sql something like this
as if somecone could set up enter the following into the form
then you could be in trouble