問題描述
我有這個問題需要澄清.我閱讀了一些文檔和評論,但仍有一些不夠清楚.
I have this very question to clear things up. I read some documentation and comments around but still somethings are just not clear enough.
- 我知道 PDO 提供了更多驅動程序,如果您更改數據庫類型,這當然是一個加分項.
- 正如在另一篇文章中所說,PDO 不提供真正的預處理語句,但 mysqli 提供,因此使用 MYSQLI 會更安全
- 基準看起來很相似,(沒有自己測試,而是在網上檢查了一些基準)
- 面向對象對我來說不是問題,因為 mysqli 正在迎頭趕上.但是對程序 mysqli 與 PDO 進行基準測試會很好,因為程序應該稍微快一點.
但這是我的問題,對于準備好的語句,我們是否必須對我們在語句中使用的數據使用參數綁定?好的做法還是必須的?我知道如果您多次運行相同的查詢,準備好的語句在性能方面是很好的,但這足以保護查詢本身嗎?或綁定參數是必須的?綁定參數究竟是什么以及它如何保護數據免受 sql 注入?如果您指出我們對我上述陳述的任何誤解,我們也將不勝感激.
But here is my question, with prepared statement, do we have to use parameter binding with the data we use in our statement? good practice or have to? I understand prepared statements are good perfermance-wise if you run the same query multiple times but it is enough to secure the query itself? or binding parameters is a must? What exactly do the binding parameters and how it works to protect the data from sql injection? Also would be appreciated if you point our any misunderstanding about the statements I made above.
推薦答案
簡而言之,
- 綁定是必須的,它是保護的基石,無論原生驅動是否支持.重要的是替代的想法.
- 差異在安全性和性能方面可以忽略不計.
- 性能是最后要考慮的事情.沒有比其他 API 慢得多的 API.它不是可能導致任何性能問題的類或函數,而是數據操作或糟糕的算法.優化您的查詢,而不僅僅是調用它們的函數.
- 如果您打算使用原始的裸 API,那么 PDO 是唯一的選擇.雖然包含在更高級別的類中,但 mysqli 似乎更適合 mysql.
- mysqli 和 PDO 都缺少標識符和關鍵字的綁定.在這種情況下,必須實施基于白名單的保護.這是我的文章,帶有現成的示例,將字段名稱動態添加到 SQL 查詢
- Binding is a must, being a cornerstone of protection, no matter if it is supported by a native driver or not. It's the idea of substitution that matters.
- The difference is negligible in either safety and performance.
- Performance is the last thing to consider. There is NO API that is considerable slower than other. It is not a class or a function that may cause whatever performance problem but a data manipulation or a bad algorithm. Optimize your queries, not mere functions to call them.
- If you are going to use a raw bare API, then PDO is the only choice. While wrapped in a higher level class, mysqli seems more preferable for mysql.
- Both mysqli and PDO lack bindings for the identifiers and keywords. In this case a whitelist-based protection must be implemented. Here is my article with the ready made example, Adding a field name to the SQL query dynamically
這篇關于PDO 與 MYSQLI,準備好的語句和綁定參數的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!