How to operate MySQL in PHP?

The Mysql operation method I learned from the book has always been in the following format: {code ...} now the preprocessing method {code...} is found in others' project implementations ...} okay, it's just the implementation method of object-oriented and process 2 .. the Mysql operation method I learned from books has always been in the following format:

$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $query = "select * from products where Category=\"$category\"";$data = mysqli_query($dbc, $query);while ($row = mysqli_fetch_array($data)) {...}

Now we have found preprocessing methods in others' project implementations.

$stmt = $this->conn->prepare("SELECT password_hash FROM users WHERE email = ?"); $stmt->bind_param("s", $email); $stmt->execute(); $stmt->bind_result($password_hash); $stmt->store_result();

Okay, it's just the implementation method in object-oriented and process 2. Let's just ignore it.

Reply content:

The Mysql operation methods learned from books have always been roughly the following:

$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $query = "select * from products where Category=\"$category\"";$data = mysqli_query($dbc, $query);while ($row = mysqli_fetch_array($data)) {...}

Now we have found preprocessing methods in others' project implementations.

$stmt = $this->conn->prepare("SELECT password_hash FROM users WHERE email = ?"); $stmt->bind_param("s", $email); $stmt->execute(); $stmt->bind_result($password_hash); $stmt->store_result();

Okay, it's just the implementation method in object-oriented and process 2. Let's just ignore it.

You are reading textbooks, haha ~
Only use pdo, not explained ~

For queries with user output parameters, directly concatenate SQL statements and the query is insecure,
Before querying, use mysqli_real_escape_string to escape special characters in the SQL statement.
However, it is best to use prepare preprocessing bind_param for parameterized query.

// Pdo anti-injection, you deserve $ pdo = new PDO ("mysql: dbname = test", 'root ',''); $ SQL = "SELECT * FROM category"; $ stmt = $ pdo-> prepare ($ SQL); $ stmt-> execute (); // obtain the result in an array, and traverse the result while ($ row = $ stmt-> fetch () {$ categories [] = $ row;} print_r ($ categories );

The pre-processing method is implemented through the extended Mysqli class. It is a function provided after MYSQL4.1. The book generally only describes the default implementation method, this makes it easy for beginners to understand how PHP connects to MYSQL. This book will certainly mention preprocessing.

I met the pre-processing method when I was doing oracle. At that time, I was shocked. The enterprise-level database was so suspended that I realized that mysql also had it. However, it is indeed recommended that I use pre-processing for database operations.

PHP has three connection methods to MySQL: mysql_connect (), mysqli, and pdo.

Mysql_connect () is not recommended on the official website and has poor security.

Both mysqli and pdo can be pre-processed and parameters bound to effectively prevent SQL injection and other problems. PDO is recommended. Because PDO is a database abstraction layer, it supports many different database drivers (which can be easily changed later) and more friendly naming variable binding.

For historical reasons, many PHP libraries provide two usage methods: Object-oriented and process-oriented (functional, c ), mysqli has two types of programs and objects.
The first example you give is the mysqli procedural method, and the second is the object type.

What about this?
Is there only two implementations for process-oriented and face-oriented objects? Joke.
The parameter binding and pre-processing of PDO make the addslashes unified, and all the filtering functions of mysql escape are laid off.
In addition to solving the SQL Injection problem, the pre-query is bound to improve the timeliness of Batch similar queries.