哪个 PDO 准备好的语句更可取,它们都有效
Which PDO prepared statement is preferrable, they both work
这两个 PDO 准备语句都有效。哪个更可取或更安全。
//do not include id in prepare as it is auto increment
//version 1
$sql = "INSERT INTO `wbs_prod_ratings_archive` (`prodid`, `ratedate`, `ratestamp`, `rating`, `prod_owner`, `buyerid`, `buyername`, `verified_buyer`)
VALUES (:p,:r,:s,:t,:o,:b,:n,:v)";
$stmt = $this->pdo->prepare($sql);
$stmt->bindParam(':p', $newdata['prodid'], PDO::PARAM_INT);
$stmt->bindParam(':r', $newdata['ratedate']);
$stmt->bindParam(':s', $newdata['ratestamp'], PDO::PARAM_INT);
$stmt->bindParam(':t', $newdata['rating'], PDO::PARAM_INT);
$stmt->bindParam(':o', $newdata['prod_owner'], PDO::PARAM_INT);
$stmt->bindParam(':b', $newdata['buyerid'], PDO::PARAM_INT);
$stmt->bindParam(':n', $newdata['buyername']);
$stmt->bindParam(':v', $newdata['verified_buyer']);
$result = $stmt->execute();
//version 2
$p = (int) $newdata['prodid'];
$r = $newdata['ratedate'];
$s = (int) $newdata['ratestamp'];
$t = (int) $newdata['rating'];
$o = (int) $newdata['prod_owner'];
$b = (int) $newdata['buyerid'];
$n = $newdata['buyername'];
$v = $newdata['verified_buyer'];
//all int other than ratedate, buyername, verified buyer
$sql = "INSERT INTO `wbs_prod_ratings_archive` (`prodid`, `ratedate`, `ratestamp`, `rating`, `prod_owner`, `buyerid`, `buyername`, `verified_buyer`)
VALUES ($p, '$r', $s, $t, $o, $b, '$n', '$v')";
$stmt = $this->pdo->prepare($sql);
$result = $stmt->execute();
PS 我最初是用 (?,?,?,?,?,?,?,?) 方法编写的,但我永远无法让它工作。看来问题是无论我选择哪种方式,我都必须指定哪些项目是 (int) 并且我永远无法使用该格式使其工作。
版本 1 选项将它们绑定到 INT。
然后版本 2 选项通过 PHP (int) 设置为 int,然后字符串在值数组中被引用。
所以以上两个选项都有效,都经过测试。有更好的选择吗?
只有第一个是prepared statement,肯定更好。第二个实际上不是准备好的语句,并且极易受到 SQL 注入的攻击,这正是真正的准备好的语句可以保护您免受的攻击。
这两个 PDO 准备语句都有效。哪个更可取或更安全。
//do not include id in prepare as it is auto increment
//version 1
$sql = "INSERT INTO `wbs_prod_ratings_archive` (`prodid`, `ratedate`, `ratestamp`, `rating`, `prod_owner`, `buyerid`, `buyername`, `verified_buyer`)
VALUES (:p,:r,:s,:t,:o,:b,:n,:v)";
$stmt = $this->pdo->prepare($sql);
$stmt->bindParam(':p', $newdata['prodid'], PDO::PARAM_INT);
$stmt->bindParam(':r', $newdata['ratedate']);
$stmt->bindParam(':s', $newdata['ratestamp'], PDO::PARAM_INT);
$stmt->bindParam(':t', $newdata['rating'], PDO::PARAM_INT);
$stmt->bindParam(':o', $newdata['prod_owner'], PDO::PARAM_INT);
$stmt->bindParam(':b', $newdata['buyerid'], PDO::PARAM_INT);
$stmt->bindParam(':n', $newdata['buyername']);
$stmt->bindParam(':v', $newdata['verified_buyer']);
$result = $stmt->execute();
//version 2
$p = (int) $newdata['prodid'];
$r = $newdata['ratedate'];
$s = (int) $newdata['ratestamp'];
$t = (int) $newdata['rating'];
$o = (int) $newdata['prod_owner'];
$b = (int) $newdata['buyerid'];
$n = $newdata['buyername'];
$v = $newdata['verified_buyer'];
//all int other than ratedate, buyername, verified buyer
$sql = "INSERT INTO `wbs_prod_ratings_archive` (`prodid`, `ratedate`, `ratestamp`, `rating`, `prod_owner`, `buyerid`, `buyername`, `verified_buyer`)
VALUES ($p, '$r', $s, $t, $o, $b, '$n', '$v')";
$stmt = $this->pdo->prepare($sql);
$result = $stmt->execute();
PS 我最初是用 (?,?,?,?,?,?,?,?) 方法编写的,但我永远无法让它工作。看来问题是无论我选择哪种方式,我都必须指定哪些项目是 (int) 并且我永远无法使用该格式使其工作。
版本 1 选项将它们绑定到 INT。 然后版本 2 选项通过 PHP (int) 设置为 int,然后字符串在值数组中被引用。
所以以上两个选项都有效,都经过测试。有更好的选择吗?
只有第一个是prepared statement,肯定更好。第二个实际上不是准备好的语句,并且极易受到 SQL 注入的攻击,这正是真正的准备好的语句可以保护您免受的攻击。