这两个PDO准备的声明都起作用。哪一个更可取或更安全。
//do not include id in prepare as it is auto increment
//version 1
$sql = "INSERT INTO `wbs_prod_ratings_archive` (`prodid`, `ratedate`, `ratestamp`, `rating`, `prod_owner`, `buyerid`, `buyername`, `verified_buyer`)
VALUES (:p,:r,:s,:t,:o,:b,:n,:v)";
$stmt = $this->pdo->prepare($sql);
$stmt->bindParam(':p', $newdata['prodid'], PDO::PARAM_INT);
$stmt->bindParam(':r', $newdata['ratedate']);
$stmt->bindParam(':s', $newdata['ratestamp'], PDO::PARAM_INT);
$stmt->bindParam(':t', $newdata['rating'], PDO::PARAM_INT);
$stmt->bindParam(':o', $newdata['prod_owner'], PDO::PARAM_INT);
$stmt->bindParam(':b', $newdata['buyerid'], PDO::PARAM_INT);
$stmt->bindParam(':n', $newdata['buyername']);
$stmt->bindParam(':v', $newdata['verified_buyer']);
$result = $stmt->execute();
//version 2
$p = (int) $newdata['prodid'];
$r = $newdata['ratedate'];
$s = (int) $newdata['ratestamp'];
$t = (int) $newdata['rating'];
$o = (int) $newdata['prod_owner'];
$b = (int) $newdata['buyerid'];
$n = $newdata['buyername'];
$v = $newdata['verified_buyer'];
//all int other than ratedate, buyername, verified buyer
$sql = "INSERT INTO `wbs_prod_ratings_archive` (`prodid`, `ratedate`, `ratestamp`, `rating`, `prod_owner`, `buyerid`, `buyername`, `verified_buyer`)
VALUES ($p, '$r', $s, $t, $o, $b, '$n', '$v')";
$stmt = $this->pdo->prepare($sql);
$result = $stmt->execute();
PS我最初是用(?,?,?,?,?,?,?,?,?)方法编写的,但我永远无法使其正常工作。看来问题在于,无论我选择哪种方式,都必须指定(int)哪些项目,而我永远无法使用该格式来使其工作。
版本1选项将它们绑定到INT。然后,版本2选项通过PHP(int)设置为int,然后在values数组中引用字符串。
因此,以上两个选项均有效,均已测试。有更好的选择吗?
[仅第一个是准备好的陈述,肯定会更好。第二个实际上不是准备好的语句,并且很容易受到SQL注入的攻击,这正是真正的准备好的语句可以保护您免受攻击的原因。