使用参数对不更改的查询参数有任何好处吗?
我正在使用使用QueryBuilder进行DBAL(学说)ORM的PHP类中编写方法。
我喜欢的一件事是,我们可以轻松地使用生成的SQL中的参数。但是,由于我正在研究一些查询,并且我注意到在许多情况下,查询的参数不更改(例如“ where is_Active = 1”),其中“ 1”已被参数化。
在这些功能中编写的这些值的参数化是否从来没有真正地或暴露?
示例:
$this->db->select('u.LastName, u.FirstName, s.*')
->from('scores', 's' )
->join( 's', 'user', 'u', 's.user_id = u.id')
->where( "s.active = :is_active")
->andWhere("s.id = :user_id" )
->setParameters(['is_active' => 1, 'user_id' => $user_id]);
与这样的事情相比:
$this->db->select('u.LastName, u.FirstName, s.*')
->from('scores', 's' )
->join( 's', 'user', 'u', 's.user_id = u.id')
->where( "s.active = 1")
->andWhere("s.id = :user_id" )
->setParameter('user_id', $user_id);
我通常不是皮带和吊带式的家伙(这意味着我只是为了安全起见),如果没有好处,那么我可能不会这样做。
我看了看DBAL文档和MySQL文档,但我看不到任何一种告诉我一种或另一种方式的东西。也许其他人有更好的Google-Fu或个人经验。
预先感谢
Garyc。
I am writing methods in PHP classes that use QueryBuilder for the DBAL (Doctrine) ORM.
One of the thing I like about this is that we can easily use parameters in the SQL that is generated. However, as I was working on a few queries and I notice that there are many instances where the query has parameters that dont change (like "WHERE is_active = 1") where the "1" has been parameterized.
Is there any benefit to parameterizing these values that are written in these functions that aren't ever truly in line or exposed?
example:
$this->db->select('u.LastName, u.FirstName, s.*')
->from('scores', 's' )
->join( 's', 'user', 'u', 's.user_id = u.id')
->where( "s.active = :is_active")
->andWhere("s.id = :user_id" )
->setParameters(['is_active' => 1, 'user_id' => $user_id]);
versus something like this:
$this->db->select('u.LastName, u.FirstName, s.*')
->from('scores', 's' )
->join( 's', 'user', 'u', 's.user_id = u.id')
->where( "s.active = 1")
->andWhere("s.id = :user_id" )
->setParameter('user_id', $user_id);
I am not usually a Belt and Suspenders guy, (meaning I do it just to be safe), if there is no benefit, then I probably wouldn't do it.
I have looked at the DBAL docs and MySQL docs and I just don't see anything that tells me one way or the other. Maybe someone else has better Google-Fu or personal experience.
Thanks in advance,
GaryC.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
没有技术利益。如果值始终是常数
1,那么您最好将其作为查询中的字面意义,如第二个示例所示。可能会有一个好处是开发人员文化问题,而不是技术利益。如果您的开发人员团队的某些成员是新手,并且很难理解何时使用参数,以及何时安全地不使用参数,则为他们提供指导 emall 在任何SQL表达式中,至少意味着它们确实需要使用参数。
There is no technical benefit. If the value is always a constant
1, you might as well make it a literal in the query, as you show in your second example.There may be a benefit that is a developer culture issue, not a technical benefit. If some members of your developer team are novice and have a hard time understanding when to use a parameter and when it's safe not to use a parameter, then giving them a guideline to always use a parameter for any value in any SQL expression at least means they will use parameters when they really need to do so.