問題描述

我混淆了這兩個函數 Bindvalue() 和 BindParam()

I am confuse between these two functions Bindvalue() and BindParam()

1. 我在 php.net 上看到它不會轉義 % 和 _，所以在使用 LIKE 時要小心.所以我認為當我們使用 LIKE 查詢時不使用 BindValue().
2. 當我們使用LIKE 查詢BindParam() 被使用.因為據我所知 BindParam 可以轉義這些 % 和 _.
3. BindValue() 不提供針對 sql 注入的保護.我不確定這一點，是真的嗎?

1. I read on php.net it does not escape % and _, so be careful when using LIKE. So i think BindValue() is not used when we are using LIKE query.
2. when we using LIKE query BindParam() is used. Because as i know BindParam can escape these % and _.
3. BindValue() doesn't gives protection against sql injection. I am not sure about this, is it true?

朋友們說說我在這3點中所說的對與錯.我是 PDO 的初學者，所以請解釋清楚..

friends tell what i mention in these 3 points is right or wrong. i am beginner in PDO so please explain it clearly ..

推薦答案

值的轉義方式和不轉義方式應該沒有區別.bindParam 與 bindValue 的不同之處在于它引用變量，僅在執行語句時綁定值.bindValue 立即獲取 value.舉例說明:

There should be no difference in how values are escaped or not escaped. bindParam differs from bindValue in that it references the variable, binding the value only when you execute the statement. bindValue takes the value immediately. To illustrate:

$stmt = $db->prepare('SELECT * FROM `table` WHERE foo = :foo');

$foo = 'foo';
$stmt->bindValue(':foo', $foo);
$foo = 'bar';

$stmt->execute();

上面的執行類似于 SELECT * FROM table WHERE foo = 'foo';

$stmt = $db->prepare('SELECT * FROM `table` WHERE foo = :foo');

$foo = 'foo';
$stmt->bindParam(':foo', $foo);
$foo = 'bar';

$stmt->execute()

上面的執行類似于 SELECT * FROM table WHERE foo = 'bar'.

確實沒有將_或%當成特殊字符，因為一般來說，就語法而言，它們不是特殊字符，數據庫驅動程序無法分析上下文來確定您是 mean % 是通配符還是 LIKE<上下文中的實際字符%"/code> 查詢.