PDO--真实的事实和最佳实践?[英] PDO - real facts and best practice?

本文是小编为大家收集整理的关于PDO--真实的事实和最佳实践?的处理/解决方法,可以参考本文帮助大家快速定位并解决问题,中文翻译不准确的可切换到English标签页查看源文。

问题描述

从现在开始,我一直在使用较旧的mysql而不是PDO,并且我看到了许多建议,为什么要切换到PDO,但是许多不同的事实(也在So上),例如:

  • 声明PDO稍微稍微快/一点慢
  • 说PDO有助于防止SQL注射,但前提是您使用准备好的查询
  • 也说使用准备好的查询是不好的,因为它该死的慢

那么,实际上是真的吗?特别是,使用PDO>以及速度和安全性的最佳实践是什么 - 如何最好地保护自己免受SQL注射范围,同时仍进行快速查询?

推荐答案

数据库支持

PDO比MySQL的核心优势在其数据库驱动程序支持中. PDO支持许多不同的驱动程序,例如Cubrid,MS SQL Server,Firebird/Interbase,IBM,MySQL等.

安全

只要开发人员按照预期的方式使用它们,两个库都提供SQL注入安全性.建议将准备好的语句与绑定查询一起使用.

// PDO, prepared statement
$pdo->prepare('SELECT * FROM users WHERE username = :username');
$pdo->execute(array(':username' => $_GET['username']));

// mysqli, prepared statements
$query = $mysqli->prepare('SELECT * FROM users WHERE username = ?');
$query->bind_param('s', $_GET['username']);
$query->execute();

速度

虽然PDO和MySQL都非常快,但MySQL在基准测试中的表现不大 - 无准备的陈述〜2.5%,而准备好的陈述则〜6.5%.

.

命名参数

就像@daverandom指出的那样,这是PDO具有的另一个功能,它比可怕的数字绑定要容易得多.

$params = array(':username' => 'test', ':email' => $mail, ':last_login' => time() - 3600);

$pdo->prepare('
SELECT * FROM users
WHERE username = :username
AND email = :email
AND last_login > :last_login');

$pdo->execute($params);

 pdo vs mysql

几个链接用于进一步参考
mysql vs pdo(Stackoverflow)
使用PDO进行数据库访问(net.tutsplus.com)

其他推荐答案

在大多数情况下,开发速度(编写软件需要多长时间)比对性能的微小改进更为重要.

我建议使用PDO,并将其与准备好的查询一起使用.除非您是Twitter或Google,否则极不可能甚至会发现任何性能差异.

本文地址:https://www.itbaoku.cn/post/597608.html

问题描述

Since now I've been using the older mysql instead of PDO and I've seen many recommendations why to switch to PDO, however also many different facts (also here on SO), e.g.:

  • stating PDO is slightly faster/a little bit slower
  • saying PDO helps prevent SQL-injections, but only if you use prepared queries
  • and also saying using prepared queries is bad, as it is damn slow

So, what is actually true? Especially, what are the best practices when using PDO and both speed and security matter a lot - how to best protect yourself from SQL injections while still having fast queries?

推荐答案

Database Support

The core advantage of PDO over MySQL is in its database driver support. PDO supports many different drivers like CUBRID, MS SQL Server, Firebird/Interbase, IBM, MySQL, and so on.

Security

Both libraries provide SQL injection security, as long as the developer uses them the way they were intended. It is recommended that prepared statements are used with bound queries.

// PDO, prepared statement
$pdo->prepare('SELECT * FROM users WHERE username = :username');
$pdo->execute(array(':username' => $_GET['username']));

// mysqli, prepared statements
$query = $mysqli->prepare('SELECT * FROM users WHERE username = ?');
$query->bind_param('s', $_GET['username']);
$query->execute();

Speed

While both PDO and MySQL are quite fast, MySQL performs insignificantly faster in benchmarks – ~2.5% for non-prepared statements, and ~6.5% for prepared ones.

Named Parameters

Just like @DaveRandom pointed out, this is another feature that PDO has, and it is considerably easier than than the horrible numeric binding.

$params = array(':username' => 'test', ':email' => $mail, ':last_login' => time() - 3600);

$pdo->prepare('
SELECT * FROM users
WHERE username = :username
AND email = :email
AND last_login > :last_login');

$pdo->execute($params);

PDO vs MySQL

Few links for further reference
MySQL vs PDO (Stackoverflow)
Why you should be using PDO for database access (net.tutsplus.com)

其他推荐答案

In most cases, development speed (how long it takes to write the software) is much more important than minute improvements to performance.

I recommend using PDO, and using it with prepared queries. Unless you are Twitter or Google it is highly unlikely you will be even the slightest bit aware of any performance difference.