问题描述

我有这个问题要清理.我阅读了一些文档和评论，但是仍然有些不清楚.

I have this very question to clear things up. I read some documentation and comments around but still somethings are just not clear enough.

• 我了解PDO提供了更多的驱动程序，如果您要更改数据库类型，那肯定是一个加分.
• 正如另一篇文章所述，PDO不提供真正的预备语句，但是mysqli可以，因此使用MYSQLI会更安全.
• 基准看起来很相似((我自己并没有对其进行测试，而是在网络上检查了一些基准)
• 因为mysqli赶上了我，所以面向对象对我来说不是问题.但是对基准过程m​​ysqli与PDO进行基准比较好，因为该过程应该会更快一些.

但这是我的问题，对于准备好的语句，我们是否必须对语句中使用的数据使用参数绑定?好的做法还是必须的?我了解，如果您多次运行相同的查询，那么准备好的语句在性能方面是很好的，但足以确保查询本身安全吗?还是必须绑定参数?绑定参数究竟是什么?它如何工作以保护数据免受sql注入?如果您指出我们对我以上陈述的任何误解，也将不胜感激.

But here is my question, with prepared statement, do we have to use parameter binding with the data we use in our statement? good practice or have to? I understand prepared statements are good perfermance-wise if you run the same query multiple times but it is enough to secure the query itself? or binding parameters is a must? What exactly do the binding parameters and how it works to protect the data from sql injection? Also would be appreciated if you point our any misunderstanding about the statements I made above.

推荐答案

简而言之，

• 绑定是必须的，无论是否受本机驱动程序支持，绑定都是保护的基石.重要的是替代的想法.
• 在安全性和性能上的差异可以忽略.
• 性能是最后要考虑的问题.没有API比其他任何API都要慢.它不是可能导致性能问题的类或函数，而是数据操作或错误的算法.优化查询，而不仅仅是调用函数.
• 如果您要使用原始的裸API，那么PDO是唯一的选择.虽然包装在更高级别的类中，但mysqli似乎比mysql更可取.
• mysqli和PDO都缺少标识符和关键字的绑定.在这种情况下，必须实施基于白名单的保护.这是我的文章，其中包含现成的示例，为SQL查询动态添加字段名称

• Binding is a must, being a cornerstone of protection, no matter if it is supported by a native driver or not. It's the idea of substitution that matters.
• The difference is negligible in either safety and performance.
• Performance is the last thing to consider. There is NO API that is considerable slower than other. It is not a class or a function that may cause whatever performance problem but a data manipulation or a bad algorithm. Optimize your queries, not mere functions to call them.
• If you are going to use a raw bare API, then PDO is the only choice. While wrapped in a higher level class, mysqli seems more preferable for mysql.
• Both mysqli and PDO lack bindings for the identifiers and keywords. In this case a whitelist-based protection must be implemented. Here is my article with the ready made example, Adding a field name to the SQL query dynamically

这篇关于PDO与MYSQLI，准备好的状态和绑定参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！