The MySQL operation that I learned from the book has always been in the following form
$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $query = "select * from products where Category=\"$category\"";$data = mysqli_query($dbc, $query);while ($row = mysqli_fetch_array($data)) {...}
The preprocessing is now discovered in other people's project implementations.
$stmt = $this->conn->prepare("SELECT password_hash FROM users WHERE email = ?"); $stmt->bind_param("s", $email); $stmt->execute(); $stmt->bind_result($password_hash); $stmt->store_result();
Okay, just the object-oriented and process-oriented 2 implementation method. Everybody ignore it.
Reply content:
The MySQL operation that I learned from the book has always been in the following form
$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $query = "select * from products where Category=\"$category\"";$data = mysqli_query($dbc, $query);while ($row = mysqli_fetch_array($data)) {...}
The preprocessing is now discovered in other people's project implementations.
$stmt = $this->conn->prepare("SELECT password_hash FROM users WHERE email = ?"); $stmt->bind_param("s", $email); $stmt->execute(); $stmt->bind_result($password_hash); $stmt->store_result();
Okay, just the object-oriented and process-oriented 2 implementation method. Everybody ignore it.
You look at the textbook, haha ~
Only PDO, don't explain ~
For queries with user output parameters, the SQL statement is directly spliced and then query is unsafe.
The special characters in the SQL statement should be escaped with mysqli_real_escape_string before the query.
However, it is best to use prepare preprocessing bind_param parameterized queries.
//pdo防注入,你值得拥有$pdo = new PDO("mysql:dbname=test",'root','');$sql = "SELECT * FROM category";$stmt = $pdo->prepare($sql);$stmt->execute();// 以数组方式获取结果,并遍历结果while ($row = $stmt->fetch()) { $categories[] = $row;}print_r($categories);
The preprocessing method is implemented by the Mysqli class of the enhanced extension, it is the function that the MYSQL4.1 starts to provide later, the book generally only will say the default realization way, this also facilitates the beginner to understand the PHP connection MySQL method, this book if has to say preprocessing certainly will mention.
Pre-processing I was in the Oracle when I met, then shocked, enterprise-class database is so hanging, and later know that MySQL also have, but do recommend using preprocessing to do database operations
PHP has three ways to connect to MySQL: mysql_connect (), Mysqli, PDO.
Mysql_connect () The official has not recommended the use, the security is very poor.
Mysqli and PDO, both can be pre-processing, parameter binding, can effectively prevent SQL injection and other issues. It is recommended to use PDO a bit. Because PDO is a database abstraction layer, it supports many different database drivers (easy to replace later), supports friendlier named variable bindings, and so on.
and PHP for historical reasons, many libraries provide two sets of usage: object-oriented, and process-oriented (functional, C-language), Mysqli has a program and object-style two.
The first example you give is the mysqli process, and the second, the object type.
Pull it?
Only two implementations of process-oriented and face-type objects? What a joke.
PDO parameter binding and preprocessing let the traditional one big Tuo addslashes,mysql escape various assorted filter function all laid off.
In addition to drastic to solve the problem of SQL injection, and then the binding of pre-query, in the batch similar query efficiency improved.