为什么PDO中的INSERT INTO过于复杂? [关闭]
So I have to change all the mysql_ commands to PDO becuase they are officially depreciated and PDO is the most universal. Why the INSERT ones are so complex and what is benefit of this?
For example in my old code I do this:
mysql_connect("$host", "$username", "$db_password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
mysql_query("INSERT INTO $tbl_name(this, that, him, her) VALUES('$this', '$that', '$him', '$her')")or die(mysql_error());
And with PDO
$conn = new PDO('mysql:host=HST_NAME;dbname=DB_NAME;charset=utf8', 'USER', 'PASSWORD');
$sql = "INSERT INTO books (this, that, him, her) VALUES (:this,:that,:him,:her)";
$q = $conn->prepare($sql);
$q->execute(array(':this'=>$this,
':that'=>$that,
':him'=>$him,
':her'=>$her ));
When I have to input lots of data at once the PDO will get huge. What is the benefit of this?
Looking for a why to do answer and not a what to do
所以我必须将所有 例如在我的旧代码中我这样做: p>
使用PDO p>
当我必须输入大量数据时 一旦PDO变得庞大。 这有什么好处? p>
寻找为什么要做 strong>回答,而不是做什么 strong> p>
div> mysql _ code>命令更改为PDO,因为它们已被正式折旧并且 PDO是最普遍的。 INSERT为何如此复杂,这有什么好处? p>
mysql_connect(“$ host”,“$ username”,“$ db_password “)或死亡(”无法连接“);
mysql_select_db(“$ db_name”)或死(“不能选择DB”);
mysql_query(“INSERT INTO $ tbl_name(this,that,him,her)VALUES('$ this','$ that','$ him ','$ her')“)或死(mysql_error());
code> pre>
$ conn = new PDO('mysql:host = HST_NAME; dbname = DB_NAME ; charset = utf8','USER','PASSWORD');
$ sql =“INSERT INTO books(this,that,him,her)VALUES(:this,:that,:him,:her)”; n $ q = $ conn-> prepare($ sql);
$ q-> execute(array(':this'=> $ this,
':that'=> $ that,
':他'=> $他,
':她'=> $她));
code> pre>
You should not be using variables directly in SQL statements; this leads to all sorts of security vulnerabilities.
As you say, the mysql_ functions are getting deprecated. I know you may be reluctant to move to PDO if you’ve been using the mysql_ functions for a long time, but there’s various reasons why PDO is better than the old mysql_ functions:
- It protects against SQL injection vulnerabilities out of the box
- It’s faster than the
mysql_functions - It also has the advantage of it supports database engines other than MySQL
PDO also separates your database query from parameters. Consider the following:
$sql = "INSERT INTO users (first_name, last_name, email)
VALUES (:first_name, :last_name, :email)";
$smt->prepare($sql);
$smt->bindParam(':first_name', $first_name);
$smt->bindParam(':last_name', $last_name);
$smt->bindParam(':email', $email);
$smt->execute();
Or the less “bloated” syntax:
$sql = "INSERT INTO users (first_name, last_name, email)
VALUES (:first_name, :last_name, :email)";
$smt->prepare($sql);
$smt->execute(array(
':first_name' => $first_name,
':last_name' => $last_name,
':email' => $email
));
As you can see, the parameters are separated from the statement itself. It’s cleaner than interpolating variables into your statements, which look ugly and as I say, lead to injection vulnerabilities.
Because your mysql_query being improperly formatted.
If you care to format it properly, it will take the same amount of code as PDO
Also, for some reason you choose "long" PDO syntax. While the code could be
$sql = "INSERT INTO books (this, that, him, her) VALUES (?,?,?,?)";
$q = $conn->prepare($sql);
$q->execute(array($this,$that,$him,$her));
Nevertheless, for either of them you can use some sort of automation
To answer edited question, Why one should use prepared statements