他们是在做同样的事情,只是不同而已?
除了使用prepare
之外,
$sth = $db->query("SELECT * FROM table");
$result = $sth->fetchAll();
和
$sth = $db->prepare("SELECT * FROM table");
$sth->execute();
$result = $sth->fetchAll();
?
他们是在做同样的事情,只是不同而已?
除了使用prepare
之外,
$sth = $db->query("SELECT * FROM table");
$result = $sth->fetchAll();
和
$sth = $db->prepare("SELECT * FROM table");
$sth->execute();
$result = $sth->fetchAll();
?
query
运行标准的SQL语句,并要求您正确地转义所有数据,以避免SQL注入和其他问题.
execute
运行一条准备好的语句,该语句允许您绑定参数,以避免转义或引用参数.如果重复多次查询,execute
也会表现得更好.准备好的声明示例:
$sth = $dbh->prepare('SELECT name, colour, calories FROM fruit
WHERE calories < :calories AND colour = :colour');
$sth->bindParam(':calories', $calories);
$sth->bindParam(':colour', $colour);
$sth->execute();
// $calories or $color do not need to be escaped or quoted since the
// data is separated from the query
Best practice is to stick with prepared statements and 100 for increased security.
另见:Are PDO prepared statements sufficient to prevent SQL injection?