为什么需要在bindParam()中指定参数类型?

时间:2023-05-06
本文介绍了为什么需要在bindParam()中指定参数类型?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!

问题描述

限时送ChatGPT账号..

我有点困惑,为什么我们需要指定我们在 Php 中的 PDO 中的 bindParam() 函数中传递的数据类型.例如这个查询:

I am a bit confuse as to why we need to specify the type of data that we pass in the bindParam() function in PDO in Php. For example this query:

$calories = 150; 
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < ? AND colour = ?');
$sth->bindParam(1, $calories, PDO::PARAM_INT); 
$sth->bindParam(2, $colour, PDO::PARAM_STR, 12);
$sth->execute();

如果我不指定第三个参数,是否存在安全风险.我的意思是如果我只是在 bindParam() 中做:

Is there a security risk if I do not specify the 3rd parameter. I mean if I just do in the bindParam():

$sth->bindParam(1, $calories); 
$sth->bindParam(2, $colour);

推荐答案

对类型使用 bindParam() 可以被认为更安全,因为它允许更严格的验证,进一步防止 SQL 注入.但是,如果您不这样做,我不会说会涉及真正 安全风险,因为更多的是您执行了prepared statement 比类型验证更能防止 SQL 注入.实现此目的的更简单方法是简单地将数组传递给 execute() 函数,而不是使用 bindParam(),如下所示:

Using bindParam() with types could be considered safer, because it allows for stricter verification, further preventing SQL injections. However, I wouldn't say there is a real security risk involved if you don't do it like that, as it is more the fact that you do a prepared statement that protects from SQL injections than type verification. A simpler way to achieve this is by simply passing an array to the execute() function instead of using bindParam(), like this:

$calories = 150; 
$colour = 'red';

$sth = $dbh->prepare('SELECT name, colour, calories
                      FROM fruit
                      WHERE calories < :calories AND colour = :colour');

$sth->execute(array(
    'calories' => $calories,
    'colour' => $colour
));

您没有义务使用字典,您也可以像使用问号一样使用字典,然后将其按相同的顺序放入数组中.然而,即使这很完美,我还是建议养成使用第一个的习惯,因为一旦达到一定数量的参数,这种方法就会变得一团糟.为了完整起见,这里是它的样子:

You're not obligated to use a dictionary, you can also do it just like you did with questionmarks and then put it in the same order in the array. However, even if this works perfectly, I'd recommend making a habit of using the first one, since this method is a mess once you reach a certain number of parameters. For the sake of being complete, here's what it looks like:

$calories = 150; 
$colour = 'red';

$sth = $dbh->prepare('SELECT name, colour, calories
                      FROM fruit
                      WHERE calories < ? AND colour = ?');

$sth->execute(array($calories, $colour));

这篇关于为什么需要在bindParam()中指定参数类型?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!

上一篇:PHP Postgres PDO 驱动不支持prepared statement? 下一篇:获取时Mysql PDO最大LONGBLOB数据长度

相关文章