0

我搜索了很多,但找不到与我的问题相关的任何问题,所以我发布了这个。

我开始知道以下 3 行做同样的工作。

$q="insert into employee values('".$e."','".$nm."','".$desg."','".$sal."')";

$q="insert into employee values('$e','$nm','$desg','$sal')";

$q="insert into employee values('{$e}','{$nm}','{$desg}','{$sal}')";

$e, $name, &desg, &sal are variables.

我很困惑哪一个是最好的,为什么这三个工作相同。第一个对我来说完全清楚,它将变量替换为值并创建查询。

但是在第 2 和第 3 中,我不清楚如何替换变量。那是我从那里学到的,他们说如果我将变量插入回声中,那么它应该用 {} 括起来或连接起来。

前任:echo "This is {$name}" / echo "This is ".$name;

所以我很困惑。

4

4 回答 4

1

There are not the different ways of writing queries, these are merely different ways to write strings in PHP. To clear any confusion, you should go through PHP strings manual and read about all possible ways to create strings. The documentation explains the four possible syntax plus how variables within strings are "parsed".

Before you write queries (safe ones) you must understand how strings work in PHP. You can then go through these answers to find out the proper way of writing queries.

于 2013-08-17T09:27:40.150 回答
0

To answer your question:

This is simple string concatenation:

$q="insert into employee values('" . $e . "','" . $nm . "','" . $desg . "','" . $sal . "')";

This is value substitution, which PHP will do with string literals that use " ":

$q="insert into employee values('$e','$nm','$desg','$sal')";

The third sample is not correct. { and } are only necessary when you want to use the substitution from #2 with array values:

$q="insert into employee values('{$e[0]}','{$nm[0]}','{$desg['somekey']}','{$sal[o]}')";

As mentioned repeatedly, you seriously do not want to be using any of these to build a query string. Both PDO and the MySQLi library have parameterizing functions that are much safer.

于 2013-08-17T09:26:29.333 回答
0

On comparison of these four queries we got:

echo "My name is $name"  //0.00099992752075195

echo "My name is ".$name;  //0.00099992752075195

echo "My name is {$name}"; //0.0010001659393311 

echo "My name is '{$name}'";  //0.0010001659393311

which proves first query will perform better.

these three are good in general use but are most vulnerable to sql injection better use:

  1. use Prepared statements.

    eg :

    <?php

    $q = 'Insert INTO counter(num) values (?); $stmt = mysqli_prepare($dbc, 'i'); // check weather only integer is passed

    mysqli_stmt_bind_param($stmt, 'i', $n);

    for($n=1;$n<= 100; $n++) { mysqli_stmt_execute($stmt); } ?> `

  2. Use PDO objects in php.

于 2013-08-17T09:31:34.780 回答
0

正如人们在评论中开始指出的那样,这些方法都不是可取的或安全的。

问题是这里解释的 SQL 注入。

您想使用 PDO。请参阅本教程本参考资料

所以要连接:

$dsn="mysql:host=127.0.0.1;dbname=myDatabase";
$username="myUsername";
$password="myPassword";
try {
    $DBH=new PDO($dsn,$username,$password);
} catch(PDOException $e) {
    echo $e->getMessage();
}

和一个样本插入:

    $STH = $DBH->prepare("INSERT INTO job (snum, date, length, type, ref) VALUES (:u,:d,:l,:t,:r)");
    $STH->bindParam(':u', $myVariable1);
    $STH->bindParam(':d', $myVariable2); 
    $STH->bindParam(':l', $myVariable3);
    $STH->bindParam(':t', $myVariable4);
    $STH->bindParam(':r', $myVariable5);
    try { 
        $STH->execute();
    } catch(PDOException $e) {
        echo $e->getMessage();
    }
于 2013-08-17T09:19:33.697 回答