翻译烂到家了,看不顺眼轻喷。。。 1.为什么要使用PDO? mysql_函数已经过时,相当一段时间以来,mysql_函数在其他SQL数据库编程接口方面已经有所差别;它不支持预处理,存储过程,事务等一些现代数据库设计思想,SQL语句字符串转义函数 mysql_real_escape_s
翻译烂到家了,看不顺眼轻喷。。。
1.为什么要使用PDO?
mysql_*函数已经过时,相当一段时间以来,mysql_*函数在其他SQL数据库编程接口方面已经有所差别;它不支持预处理,存储过程,事务等一些现代数据库设计思想,SQL语句字符串转义函数 mysql_real_escape_string() 和 拼接SQL语句的编程方法 已经过时并且很容易出错。最近一段时间里,它缺乏开发者的关注,缺少维护将可能导致一些安全问题不能被即时修复,或者在适配新版本的MySQL的时候不能正常工作,这成为mysql_*函数面临的的另一个问题。PHP社区最近也对mysql_*函数给出不建议使用的建议,也有可能在未来的版本中最终被弃用(不过不用过于担心,这可能还需要很长一段时间)。
PDO拥有更好的编程接口,你可以使用它写出更加简洁,高效,安全的代码。PDO还为不同的SQL数据库提供了不同的驱动,方便你使用新的数据库而不用再学习不同的编程接口。与拼接SQL语句构造查询语句不同,绑定参数可以简洁方便的构造出更加安全的查询语句,使用绑定参数的方法在 多次相似语句查询(仅仅某个参数不同)中也可以提高不少性能。PDO在错误处理方面也提供了多种方法。mysql_*函数缺乏一致的处理,与PDO的异常模式相比,或者说没有处理异常,使用PDO,你可以得到一致的错误处理,这将节省您大量的时间来跟踪问题。
在当前的PHP版本中,PDO模块是默认安装启用的,但是在使用PDO前你还需要安装另外两个软件包,一个是pdo_mysql数据库驱动程序,另外一个是类似php-mysql的mysql驱动程序。
2.连接MySQL
以前的方式:
<code>$link = mysql_connect('localhost', 'user', 'pass');
mysql_select_db('testdb', $link);
mysql_set_charset('UTF-8', $link);
</code>
新的方式:
* 创建一个PDO对象,参数包括 DSN, username, password 和 一个驱动选项的数组(可忽略)。
* DSN其实就是一个告诉PDO该使用哪一种数据库驱动 和 一些连接信息的字符串,了解更多 PDO MYSQL DSN .
<code>$db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password');
</code>
注意:确保DSN中设置了字符编码信息,否则将可能返回字符编码设置错误的信息,出于安全考虑,DSN最好包括字符编码信息设置。
你也可以在第四个参数数组里填写一些驱动选项,建议将 PDO异常模式(下文讲解) 和 关闭预处理模拟(默认打开的,仅对于旧版本MySQL有用)两个参数加入到第四个参数数组中。
<code>$db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password', array(PDO::ATTR_EMULATE_PREPARES => false,PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
</code>
你也可以在创建PDO对象后再通过setAttribute方法设置相应选项。
<code>$db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
</code>
3.错误处理
mysql_*函数的错误处理
<code>//connected to mysql
$result = mysql_query("SELECT * FROM table", $link) or die(mysql_error($link));
</code>
OR die()是个不错的错误处理方法,但是会因此结束页面,将错误信息呈现到用户面前,这可能是我们不想看到的结果。
PDO有三种错误处理模式:
- PDO::ERRMODE_SILENT # 和 mysql_*函数类似,检查代码并查看
$db->errorInfo();获取详细信息。 - PDO::ERRMODE_WARNING # 抛出PHP警告。
- PDO::ERRMODE_EXCEPTION #抛出
PDOException异常,在我认为,这是我们应该使用的模式, 这和die(mysql_error());类似,但是它可以捕获并抛出具体异常信息。
code:
<code>try {
//connect as appropriate as above
$db->query('hi'); //invalid query!
} catch(PDOException $ex) {
echo "An Error occured!"; //user friendly message
some_logging_function($ex->getMessage());
}
</code>
注意:你可以不用立即执行并捕获异常,你可以在任何合适的时候随时捕获。
<code>function getData($db) {
$stmt = $db->query("SELECT * FROM table");
return $stmt->fetchAll(PDO::FETCH_ASSOC);
}
//then much later
try {
getData($db);
} catch(PDOException $ex) {
//handle me.
}
</code>
如果你不想使用try/catch来处理异常,就像使用OR die()那样处理,在production模式下关闭display_errors选项即可。
4.简单的查询语句(SELECT)
mysql_*代码:
<code>$result = mysql_query('SELECT * from table') or die(mysql_error());
$num_rows = mysql_num_rows($result);
while($row = mysql_fetch_assoc($result)) {
echo $row['field1'].' '.$row['field2']; //etc...
}
</code>
PDO代码:
<code>foreach($db->query('SELECT * FROM table') as $row) {
echo $row['field1'].' '.$row['field2']; //etc...
}
</code>
query() 方法返回了一个 PDOStatement 对象,你可以通过如下方法获取结果:
<code>$stmt = $db->query('SELECT * FROM table');
while($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
echo $row['field1'].' '.$row['field2']; //etc...
}
</code>
或者
<code>$stmt = $db->query('SELECT * FROM table');
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
//use $results
</code>
# Fetch Modes
注意 fetch() 和 fetchAll() 代码中的PDO::FETCH_ASSOC ,它高速 PDO 以关联数组的形式返回 键,值;其他比如PDO::FETCH_NUM模式,则返回数值键值的数组,默认模式是 PDO::FETCH_BOTH 则返回前面两者的集合,既有数值键值的数组,又有关联数组。PDO也可以获取数据返回对象PDO::FETCH_OBJ,PDO::FETCH_CLASS,PDO::FETCH_BOUND,bindColumn方法等更多内容,请阅读: PDOStatement Fetch documentation。
# 获取数据行数(Getting Row Count)
代替 mysql_num_rows 方法,你可以使用 PDOStatement对象的rowCount();方法。
<code>$stmt = $db->query('SELECT * FROM table');
$row_count = $stmt->rowCount();
echo $row_count.' rows selected';
</code>
注意:官方文档称此函数仅适用于返回 `UPDATE`, `INSERT`, `DELETE`操作的`affected rows`,而 `SELECT`操作,仅对于`PDO_MYSQL` 驱动,此函数同样适用(谨记),在操作其他数据库的时候尤其注意。
# 获取最后操作ID(Getting the Last Insert Id)
mysql_*代码:
<code>$result = mysql_query("INSERT INTO table(firstname, lastname) VALUES('John', 'Doe')") or die("Insert Failed ".mysql_error());
$insert_id = mysql_insert_id();
</code>
PDO代码:
<code>$result = $db->exec("INSERT INTO table(firstname, lastname) VAULES('John', 'Doe')");
$insertId = $db->lastInsertId();
</code>
5.执行 INSERT, UPDATE, DELETE 操作
mysql_*代码:
<code>$results = mysql_query("UPDATE table SET field='value'") or die(mysql_error());
$affected_rows = mysql_affected_rows($result);
echo $affected_rows.' were affected';
</code>
PDO代码:
<code>$affected_rows = $db->exec("UPDATE table SET field='value'");
echo $affected_rows.' were affected'
</code>
DELETE , INSERT 操作同样适用。
6.运行带有查询参数的语句(Running Statements With Parameters)
对于 不携带任何参数的查询语句,我们可以使用 query方法处理SELECT操作,使用exec方法处理 INSERT,UPDATE,INSERT操作,而对于携带查询参数的语句,你应该使用绑定参数的方法来安全的处理这些操作。
mysql_*代码:
<code>$results = mysql_query(sprintf("SELECT * FROM table WHERE id='%s' AND name='%s'",
mysql_real_escape_string($id), mysql_real_escape_string($name))) or die(mysql_error());
$rows = array();
while($row = mysql_fetch_assoc($results)){
$rows[] = $row;
}
</code>
PDO代码:
<code>$stmt = $db->prepare("SELECT * FROM table WHERE id=? AND name=?");
$stmt->execute(array($id, $name));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
</code>
prepare方法将查询语句发送到服务器,以“?”作为参数占位符进行编译,execute方法将查询参数发送到服务器,运行之前编译好的查询语句。因为 查询语句 和 查询参数 是分开发送的,所以在参数里的SQL语句是不可能被执行的,所以不会发生 SQL注入,这是一种比连接字符串构造SQL语句更加安全的解决方法。
注意: 当你使用**绑定参数**的时候,不要对"?"占位符使用引号(SQL语句原来是对参数使用引号的),因为参数类型是在execute方法的时候确定的,所以在prepare的时候不必对占位符使用引号。
还有一些绑定参数的方法,bindValue方法可以分别绑定每个参数来代替execute方法的数组方式,同时还分别设置每个参数的类型。
<code>$stmt = $db->prepare("SELECT * FROM table WHERE id=? AND name=?");
$stmt->bindValue(1, $id, PDO::PARAM_INT);
$stmt->bindValue(2, $name, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
</code>
#命名占位符
如果你有许多参数需要绑定,不要使用问号占位符,以防混淆出错,你可以使用命名占位符代替问号占位符。
<code>$stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND name=:name");
$stmt->bindValue(':id', $id, PDO::PARAM_INT);
$stmt->bindValue(':name', $name, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
</code>
你也可以使用execute方法,以数组的方式绑定参数:
<code>$stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND name=:name");
$stmt->execute(array(':name' => $name, ':id' => $id));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
</code>
#INSERT, DELETE, UPDATE 预处理查询
INSERT, DELETE, UPDATE 预处理语句的使用和SELECT类似,我们举几个例子:
<code>$stmt = $db->prepare("INSERT INTO table(field1,field2,field3,field4,field5) VALUES(:field1,:field2,:field3,:field4,:field5)");
$stmt->execute(array(':field1' => $field1, ':field2' => $field2, ':field3' => $field3, ':field4' => $field4, ':field5' => $field5));
$affected_rows = $stmt->rowCount();
</code>
<code>$stmt = $db->prepare("DELETE FROM table WHERE id=:id");
$stmt->bindValue(':id', $id, PDO::PARAM_STR);
$stmt->execute();
$affected_rows = $stmt->rowCount();
</code>
<code>$stmt = $db->prepare("UPDATE table SET name=? WHERE id=?");
$stmt->execute(array($name, $id));
$affected_rows = $stmt->rowCount();
</code>
#在预处理中使用SQL函数
无效方法:
<code>//THIS WILL NOT WORK!
$time = 'NOW()';
$name = 'BOB';
$stmt = $db->prepare("INSERT INTO table(`time`, `name`) VALUES(?, ?)");
$stmt->execute(array($time, $name));
</code>
正确方法
<code>$name = 'BOB';
$stmt = $db->prepare("INSERT INTO table(`time`, `name`) VALUES(NOW(), ?)");
$stmt->execute(array($name));
</code>
你也可以在SQL函数里绑定参数:
<code>$name = 'BOB';
$password = 'badpass';
$stmt = $db->prepare("INSERT INTO table(`hexvalue`, `password`) VALUES(HEX(?), PASSWORD(?))");
$stmt->execute(array($name, $password));
</code>
但是不能作为LIKE的参数:
<code>//THIS DOES NOT WORK
$stmt = $db->prepare("SELECT field FROM table WHERE field LIKE %?%");
$stmt->bindParam(1, $search, PDO::PARAM_STR);
$stmt->execute();
</code>
正确使用LIKE并绑定参数的方法:
<code>$stmt = $db->prepare("SELECT field FROM table WHERE field LIKE ?");
$stmt->bindValue(1, "%$search%", PDO::PARAM_STR);
$stmt->execute();
</code>
注意:这里使用的是bindValue而不是bindParam,否则会发生PDOException或致命错误。
#使用循环运行预处理语句
预处理语句可以一次设置,多次调用,因为仅在第一次传入的时候编译,因此在后来的多次调用中提高了不少效率。
典型的应用就是bindParam,bindParam与bindValue的不同之处在于,它不是绑定了参数的值,而是绑定参数变量本身,因此,如果参数变量变化了,那么在execute处理的时候,查询也将相应变化。
<code>$values = array('bob', 'alice', 'lisa', 'john');
$name = '';
$stmt = $db->prepare("INSERT INTO table(`name`) VALUES(:name)");
$stmt->bindParam(':name', $name, PDO::PARAM_STR);
foreach($values as $name) {
$stmt->execute();
}
</code>
6.PDO中的事务(Transactions)
注意:调用beginTransaction()方法即自动关闭了自动提交。
<code>try {
$db->beginTransaction();
$db->exec("SOME QUERY");
$stmt = $db->prepare("SOME OTHER QUERY?");
$stmt->execute(array($value));
$stmt = $db->prepare("YET ANOTHER QUERY??");
$stmt->execute(array($value2, $value3));
$db->commit();
} catch(PDOException $ex) {
//Something went wrong rollback!
$db->rollBack();
echo $ex->getMessage();
}
</code>
原文链接:PDO Tutorial for MySQL Developers
参考链接:PDO Documentation
延伸阅读:Validation and SQL Injection
原文地址:PHP Memcached使用详解, 感谢原作者分享。
What are the different storage engines available in MySQL?Apr 26, 2025 am 12:27 AMMySQLoffersvariousstorageengines,eachsuitedfordifferentusecases:1)InnoDBisidealforapplicationsneedingACIDcomplianceandhighconcurrency,supportingtransactionsandforeignkeys.2)MyISAMisbestforread-heavyworkloads,lackingtransactionsupport.3)Memoryengineis
What are some common security vulnerabilities in MySQL?Apr 26, 2025 am 12:27 AMCommon security vulnerabilities in MySQL include SQL injection, weak passwords, improper permission configuration, and unupdated software. 1. SQL injection can be prevented by using preprocessing statements. 2. Weak passwords can be avoided by forcibly using strong password strategies. 3. Improper permission configuration can be resolved through regular review and adjustment of user permissions. 4. Unupdated software can be patched by regularly checking and updating the MySQL version.
How can you identify slow queries in MySQL?Apr 26, 2025 am 12:15 AMIdentifying slow queries in MySQL can be achieved by enabling slow query logs and setting thresholds. 1. Enable slow query logs and set thresholds. 2. View and analyze slow query log files, and use tools such as mysqldumpslow or pt-query-digest for in-depth analysis. 3. Optimizing slow queries can be achieved through index optimization, query rewriting and avoiding the use of SELECT*.
How can you monitor MySQL server health and performance?Apr 26, 2025 am 12:15 AMTo monitor the health and performance of MySQL servers, you should pay attention to system health, performance metrics and query execution. 1) Monitor system health: Use top, htop or SHOWGLOBALSTATUS commands to view CPU, memory, disk I/O and network activities. 2) Track performance indicators: monitor key indicators such as query number per second, average query time and cache hit rate. 3) Ensure query execution optimization: Enable slow query logs, record and optimize queries whose execution time exceeds the set threshold.
Compare and contrast MySQL and MariaDB.Apr 26, 2025 am 12:08 AMThe main difference between MySQL and MariaDB is performance, functionality and license: 1. MySQL is developed by Oracle, and MariaDB is its fork. 2. MariaDB may perform better in high load environments. 3.MariaDB provides more storage engines and functions. 4.MySQL adopts a dual license, and MariaDB is completely open source. The existing infrastructure, performance requirements, functional requirements and license costs should be taken into account when choosing.
How does MySQL's licensing compare to other database systems?Apr 25, 2025 am 12:26 AMMySQL uses a GPL license. 1) The GPL license allows the free use, modification and distribution of MySQL, but the modified distribution must comply with GPL. 2) Commercial licenses can avoid public modifications and are suitable for commercial applications that require confidentiality.
When would you choose InnoDB over MyISAM, and vice versa?Apr 25, 2025 am 12:22 AMThe situations when choosing InnoDB instead of MyISAM include: 1) transaction support, 2) high concurrency environment, 3) high data consistency; conversely, the situation when choosing MyISAM includes: 1) mainly read operations, 2) no transaction support is required. InnoDB is suitable for applications that require high data consistency and transaction processing, such as e-commerce platforms, while MyISAM is suitable for read-intensive and transaction-free applications such as blog systems.
Explain the purpose of foreign keys in MySQL.Apr 25, 2025 am 12:17 AMIn MySQL, the function of foreign keys is to establish the relationship between tables and ensure the consistency and integrity of the data. Foreign keys maintain the effectiveness of data through reference integrity checks and cascading operations. Pay attention to performance optimization and avoid common errors when using them.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
