问号在 MySQL 中“WHERE column = ?”的意义是什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/675010/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What is the question mark's significance in MySQL at "WHERE column = ?"?
提问by Levi
I am dissecting some code and came across this,
我正在剖析一些代码并遇到了这个,
$sql = 'SELECT page.*, author.name AS author, updator.name AS updator '
. 'FROM '.TABLE_PREFIX.'page AS page '
. 'LEFT JOIN '.TABLE_PREFIX.'user AS author ON author.id = page.created_by_id '
. 'LEFT JOIN '.TABLE_PREFIX.'user AS updator ON updator.id = page.updated_by_id '
. 'WHERE slug = ? AND parent_id = ? AND (status_id='.Page::STATUS_REVIEWED.' OR status_id='.Page::STATUS_PUBLISHED.' OR status_id='.Page::STATUS_HIDDEN.')';
I am wondering what the "?" does in the WHERE statement. Is it some sort of parameter holder?
我想知道什么是“?” 在 WHERE 语句中。它是某种参数持有者吗?
采纳答案by Jayrox
Prepared statments use the '?' in MySQL to allow for binding params to the statement. Highly regarded as more secure against SQL injections if used properly. This also allows for quicker SQL queries as the request only has to be compiled once and can be reused.
准备好的语句使用“?” 在 MySQL 中允许将参数绑定到语句。如果使用得当,被高度认为可以更安全地防止 SQL 注入。这也允许更快的 SQL 查询,因为请求只需编译一次并且可以重复使用。
回答by Steve Stedman
The question mark represents a parameter that will later be replaced. Using parameterized queries is more secure than embedding the parameters right into the query.
问号代表稍后将被替换的参数。使用参数化查询比将参数直接嵌入到查询中更安全。
SQL Server calls this parameterize queries, and Oracle calls it bind variables.
SQL Server 称之为参数化查询,Oracle 称之为绑定变量。
The usage varies with the language that you are executing the query from.
用法因您执行查询所用的语言而异。
Here is an example of how it is used from PHP.
这是一个如何在 PHP 中使用它的示例。
assuming that $mysqliis a database connection and peopleis a table with 4 columns.
假设这$mysqli是一个数据库连接并且people是一个有 4 列的表。
$stmt = $mysqli->prepare("INSERT INTO People VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $firstName, $lastName, $email, $age);
The 'sssd'is a flag identifying the rest of the parameters, where srepresents string and drepresents digits.
的'sssd'是标识参数的其余部分,其中的标志s表示字符串和d表示数字。
回答by Raheel
These are prepared statements ,prepared statements offer two major benefits:
这些是准备好的报表,准备好的报表有两大好处:
The query only needs to be parsed (or prepared) once, but can be executed multiple times with the same or different parameters. When the query is prepared, the database will analyze, compile and optimize its plan for executing the query. For complex queries this process can take up enough time that it will noticeably slow down an application if there is a need to repeat the same query many times with different parameters. By using a prepared statement the application avoids repeating the analyze/compile/optimize cycle. This means that prepared statements use fewer resources and thus run faster.
The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).
查询只需要解析(或准备)一次,但可以使用相同或不同的参数执行多次。准备好查询后,数据库将分析、编译和优化其执行查询的计划。对于复杂的查询,这个过程可能会占用足够的时间,如果需要使用不同的参数多次重复相同的查询,它会显着降低应用程序的速度。通过使用准备好的语句,应用程序避免重复分析/编译/优化循环。这意味着准备好的语句使用更少的资源,因此运行得更快。
准备好的语句的参数不需要被引用;驱动程序会自动处理这个。如果应用程序专门使用准备好的语句,开发人员可以确保不会发生 SQL 注入(但是,如果查询的其他部分是使用未转义的输入构建的,则 SQL 注入仍然是可能的)。
