准备好的语句相对于 PDO::quote 的安全优势
Security advantage of prepared statements over PDO::quote
在单次使用查询中,预处理语句是否比 PDO::quote 具有任何安全优势?
例如,如果我有以下只执行一次的查询,与下面准备好的等价物相比有什么缺点吗?
// Using PDO::quote
$stmt = $db->query("SELECT * FROM `config` WHERE name = {$db->quote($name)} LIMIT 1");
// Using prepared statement
$stmt = $db->prepare("SELECT * FROM `config` WHERE name = :name LIMIT 1");
$stmt->execute(['name' => $name]);
我读到准备好的语句由于两步执行而稍微慢一些。最初的准备步骤是在数据库服务器上执行的,还是由 PDO 扩展处理的?
取自 docs:
If you are using this function to build SQL statements, you are strongly recommended to use PDO::prepare() to prepare SQL statements with bound parameters instead of using PDO::quote() to interpolate user input into an SQL statement. Prepared statements with bound parameters are not only more portable, more convenient, immune to SQL injection, but are often much faster to execute than interpolated queries, as both the server and client side can cache a compiled form of the query.
Does prepared statement provide any security advantage over PDO::quote in single use queries?
是:它适用于数字参数和字符串。 PDO::quote() 仅适用于字符串和日期。
I have read that prepared statement is marginally slower due to the two step execution.
如果是,除非您的网络非常慢或需要维修,否则差异微不足道。除非您以非常非常高的规模运营(提示:您不会以那种规模运营),否则不要担心。
Is the initial preparing step executed on the database server, or is it handled by the PDO extension?
两者之一,取决于 PDO::ATTR_EMULATE_PREPARES 属性。如果将其设置为 true,则 prepare() 是空操作(除了将 SQL 字符串保存在变量中),稍后当您 execute() 时,它会将您的参数插入到SQL 字符串并在不准备的情况下执行查询。
如果 PDO::ATTR_EMULATE_PREPARES 为假,它会进行服务器端准备。 DBMS 在内存中保存一些对象来表示查询,并且它无法执行准备好的查询,直到您在执行调用中单独发送参数值。
在单次使用查询中,预处理语句是否比 PDO::quote 具有任何安全优势?
例如,如果我有以下只执行一次的查询,与下面准备好的等价物相比有什么缺点吗?
// Using PDO::quote
$stmt = $db->query("SELECT * FROM `config` WHERE name = {$db->quote($name)} LIMIT 1");
// Using prepared statement
$stmt = $db->prepare("SELECT * FROM `config` WHERE name = :name LIMIT 1");
$stmt->execute(['name' => $name]);
我读到准备好的语句由于两步执行而稍微慢一些。最初的准备步骤是在数据库服务器上执行的,还是由 PDO 扩展处理的?
取自 docs:
If you are using this function to build SQL statements, you are strongly recommended to use PDO::prepare() to prepare SQL statements with bound parameters instead of using PDO::quote() to interpolate user input into an SQL statement. Prepared statements with bound parameters are not only more portable, more convenient, immune to SQL injection, but are often much faster to execute than interpolated queries, as both the server and client side can cache a compiled form of the query.
Does prepared statement provide any security advantage over PDO::quote in single use queries?
是:它适用于数字参数和字符串。 PDO::quote() 仅适用于字符串和日期。
I have read that prepared statement is marginally slower due to the two step execution.
如果是,除非您的网络非常慢或需要维修,否则差异微不足道。除非您以非常非常高的规模运营(提示:您不会以那种规模运营),否则不要担心。
Is the initial preparing step executed on the database server, or is it handled by the PDO extension?
两者之一,取决于 PDO::ATTR_EMULATE_PREPARES 属性。如果将其设置为 true,则 prepare() 是空操作(除了将 SQL 字符串保存在变量中),稍后当您 execute() 时,它会将您的参数插入到SQL 字符串并在不准备的情况下执行查询。
如果 PDO::ATTR_EMULATE_PREPARES 为假,它会进行服务器端准备。 DBMS 在内存中保存一些对象来表示查询,并且它无法执行准备好的查询,直到您在执行调用中单独发送参数值。