翻译烂到家了,看不顺眼轻喷。。。 1.为什么要使用PDO? mysql_函数已经过时,相当一段时间以来,mysql_函数在其他SQL数据库编程接口方面已经有所差别;它不支持预处理,存储过程,事务等一些现代数据库设计思想,SQL语句字符串转义函数 mysql_real_escape_s
翻译烂到家了,看不顺眼轻喷。。。
1.为什么要使用PDO?
mysql_*函数已经过时,相当一段时间以来,mysql_*函数在其他SQL数据库编程接口方面已经有所差别;它不支持预处理,存储过程,事务等一些现代数据库设计思想,SQL语句字符串转义函数 mysql_real_escape_string() 和 拼接SQL语句的编程方法 已经过时并且很容易出错。最近一段时间里,它缺乏开发者的关注,缺少维护将可能导致一些安全问题不能被即时修复,或者在适配新版本的MySQL的时候不能正常工作,这成为mysql_*函数面临的的另一个问题。PHP社区最近也对mysql_*函数给出不建议使用的建议,也有可能在未来的版本中最终被弃用(不过不用过于担心,这可能还需要很长一段时间)。
PDO拥有更好的编程接口,你可以使用它写出更加简洁,高效,安全的代码。PDO还为不同的SQL数据库提供了不同的驱动,方便你使用新的数据库而不用再学习不同的编程接口。与拼接SQL语句构造查询语句不同,绑定参数可以简洁方便的构造出更加安全的查询语句,使用绑定参数的方法在 多次相似语句查询(仅仅某个参数不同)中也可以提高不少性能。PDO在错误处理方面也提供了多种方法。mysql_*函数缺乏一致的处理,与PDO的异常模式相比,或者说没有处理异常,使用PDO,你可以得到一致的错误处理,这将节省您大量的时间来跟踪问题。
在当前的PHP版本中,PDO模块是默认安装启用的,但是在使用PDO前你还需要安装另外两个软件包,一个是pdo_mysql数据库驱动程序,另外一个是类似php-mysql的mysql驱动程序。
2.连接MySQL
以前的方式:
<code>$link = mysql_connect('localhost', 'user', 'pass');
mysql_select_db('testdb', $link);
mysql_set_charset('UTF-8', $link);
</code>
新的方式:
* 创建一个PDO对象,参数包括 DSN, username, password 和 一个驱动选项的数组(可忽略)。
* DSN其实就是一个告诉PDO该使用哪一种数据库驱动 和 一些连接信息的字符串,了解更多 PDO MYSQL DSN .
<code>$db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password');
</code>
注意:确保DSN中设置了字符编码信息,否则将可能返回字符编码设置错误的信息,出于安全考虑,DSN最好包括字符编码信息设置。
你也可以在第四个参数数组里填写一些驱动选项,建议将 PDO异常模式(下文讲解) 和 关闭预处理模拟(默认打开的,仅对于旧版本MySQL有用)两个参数加入到第四个参数数组中。
<code>$db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password', array(PDO::ATTR_EMULATE_PREPARES => false,PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
</code>
你也可以在创建PDO对象后再通过setAttribute方法设置相应选项。
<code>$db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'username', 'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
</code>
3.错误处理
mysql_*函数的错误处理
<code>//connected to mysql
$result = mysql_query("SELECT * FROM table", $link) or die(mysql_error($link));
</code>
OR die()是个不错的错误处理方法,但是会因此结束页面,将错误信息呈现到用户面前,这可能是我们不想看到的结果。
PDO有三种错误处理模式:
- PDO::ERRMODE_SILENT # 和 mysql_*函数类似,检查代码并查看
$db->errorInfo();获取详细信息。 - PDO::ERRMODE_WARNING # 抛出PHP警告。
- PDO::ERRMODE_EXCEPTION #抛出
PDOException异常,在我认为,这是我们应该使用的模式, 这和die(mysql_error());类似,但是它可以捕获并抛出具体异常信息。
code:
<code>try {
//connect as appropriate as above
$db->query('hi'); //invalid query!
} catch(PDOException $ex) {
echo "An Error occured!"; //user friendly message
some_logging_function($ex->getMessage());
}
</code>
注意:你可以不用立即执行并捕获异常,你可以在任何合适的时候随时捕获。
<code>function getData($db) {
$stmt = $db->query("SELECT * FROM table");
return $stmt->fetchAll(PDO::FETCH_ASSOC);
}
//then much later
try {
getData($db);
} catch(PDOException $ex) {
//handle me.
}
</code>
如果你不想使用try/catch来处理异常,就像使用OR die()那样处理,在production模式下关闭display_errors选项即可。
4.简单的查询语句(SELECT)
mysql_*代码:
<code>$result = mysql_query('SELECT * from table') or die(mysql_error());
$num_rows = mysql_num_rows($result);
while($row = mysql_fetch_assoc($result)) {
echo $row['field1'].' '.$row['field2']; //etc...
}
</code>
PDO代码:
<code>foreach($db->query('SELECT * FROM table') as $row) {
echo $row['field1'].' '.$row['field2']; //etc...
}
</code>
query() 方法返回了一个 PDOStatement 对象,你可以通过如下方法获取结果:
<code>$stmt = $db->query('SELECT * FROM table');
while($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
echo $row['field1'].' '.$row['field2']; //etc...
}
</code>
或者
<code>$stmt = $db->query('SELECT * FROM table');
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
//use $results
</code>
# Fetch Modes
注意 fetch() 和 fetchAll() 代码中的PDO::FETCH_ASSOC ,它高速 PDO 以关联数组的形式返回 键,值;其他比如PDO::FETCH_NUM模式,则返回数值键值的数组,默认模式是 PDO::FETCH_BOTH 则返回前面两者的集合,既有数值键值的数组,又有关联数组。PDO也可以获取数据返回对象PDO::FETCH_OBJ,PDO::FETCH_CLASS,PDO::FETCH_BOUND,bindColumn方法等更多内容,请阅读: PDOStatement Fetch documentation。
# 获取数据行数(Getting Row Count)
代替 mysql_num_rows 方法,你可以使用 PDOStatement对象的rowCount();方法。
<code>$stmt = $db->query('SELECT * FROM table');
$row_count = $stmt->rowCount();
echo $row_count.' rows selected';
</code>
注意:官方文档称此函数仅适用于返回 `UPDATE`, `INSERT`, `DELETE`操作的`affected rows`,而 `SELECT`操作,仅对于`PDO_MYSQL` 驱动,此函数同样适用(谨记),在操作其他数据库的时候尤其注意。
# 获取最后操作ID(Getting the Last Insert Id)
mysql_*代码:
<code>$result = mysql_query("INSERT INTO table(firstname, lastname) VALUES('John', 'Doe')") or die("Insert Failed ".mysql_error());
$insert_id = mysql_insert_id();
</code>
PDO代码:
<code>$result = $db->exec("INSERT INTO table(firstname, lastname) VAULES('John', 'Doe')");
$insertId = $db->lastInsertId();
</code>
5.执行 INSERT, UPDATE, DELETE 操作
mysql_*代码:
<code>$results = mysql_query("UPDATE table SET field='value'") or die(mysql_error());
$affected_rows = mysql_affected_rows($result);
echo $affected_rows.' were affected';
</code>
PDO代码:
<code>$affected_rows = $db->exec("UPDATE table SET field='value'");
echo $affected_rows.' were affected'
</code>
DELETE , INSERT 操作同样适用。
6.运行带有查询参数的语句(Running Statements With Parameters)
对于 不携带任何参数的查询语句,我们可以使用 query方法处理SELECT操作,使用exec方法处理 INSERT,UPDATE,INSERT操作,而对于携带查询参数的语句,你应该使用绑定参数的方法来安全的处理这些操作。
mysql_*代码:
<code>$results = mysql_query(sprintf("SELECT * FROM table WHERE id='%s' AND name='%s'",
mysql_real_escape_string($id), mysql_real_escape_string($name))) or die(mysql_error());
$rows = array();
while($row = mysql_fetch_assoc($results)){
$rows[] = $row;
}
</code>
PDO代码:
<code>$stmt = $db->prepare("SELECT * FROM table WHERE id=? AND name=?");
$stmt->execute(array($id, $name));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
</code>
prepare方法将查询语句发送到服务器,以“?”作为参数占位符进行编译,execute方法将查询参数发送到服务器,运行之前编译好的查询语句。因为 查询语句 和 查询参数 是分开发送的,所以在参数里的SQL语句是不可能被执行的,所以不会发生 SQL注入,这是一种比连接字符串构造SQL语句更加安全的解决方法。
注意: 当你使用**绑定参数**的时候,不要对"?"占位符使用引号(SQL语句原来是对参数使用引号的),因为参数类型是在execute方法的时候确定的,所以在prepare的时候不必对占位符使用引号。
还有一些绑定参数的方法,bindValue方法可以分别绑定每个参数来代替execute方法的数组方式,同时还分别设置每个参数的类型。
<code>$stmt = $db->prepare("SELECT * FROM table WHERE id=? AND name=?");
$stmt->bindValue(1, $id, PDO::PARAM_INT);
$stmt->bindValue(2, $name, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
</code>
#命名占位符
如果你有许多参数需要绑定,不要使用问号占位符,以防混淆出错,你可以使用命名占位符代替问号占位符。
<code>$stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND name=:name");
$stmt->bindValue(':id', $id, PDO::PARAM_INT);
$stmt->bindValue(':name', $name, PDO::PARAM_STR);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
</code>
你也可以使用execute方法,以数组的方式绑定参数:
<code>$stmt = $db->prepare("SELECT * FROM table WHERE id=:id AND name=:name");
$stmt->execute(array(':name' => $name, ':id' => $id));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
</code>
#INSERT, DELETE, UPDATE 预处理查询
INSERT, DELETE, UPDATE 预处理语句的使用和SELECT类似,我们举几个例子:
<code>$stmt = $db->prepare("INSERT INTO table(field1,field2,field3,field4,field5) VALUES(:field1,:field2,:field3,:field4,:field5)");
$stmt->execute(array(':field1' => $field1, ':field2' => $field2, ':field3' => $field3, ':field4' => $field4, ':field5' => $field5));
$affected_rows = $stmt->rowCount();
</code>
<code>$stmt = $db->prepare("DELETE FROM table WHERE id=:id");
$stmt->bindValue(':id', $id, PDO::PARAM_STR);
$stmt->execute();
$affected_rows = $stmt->rowCount();
</code>
<code>$stmt = $db->prepare("UPDATE table SET name=? WHERE id=?");
$stmt->execute(array($name, $id));
$affected_rows = $stmt->rowCount();
</code>
#在预处理中使用SQL函数
无效方法:
<code>//THIS WILL NOT WORK!
$time = 'NOW()';
$name = 'BOB';
$stmt = $db->prepare("INSERT INTO table(`time`, `name`) VALUES(?, ?)");
$stmt->execute(array($time, $name));
</code>
正确方法
<code>$name = 'BOB';
$stmt = $db->prepare("INSERT INTO table(`time`, `name`) VALUES(NOW(), ?)");
$stmt->execute(array($name));
</code>
你也可以在SQL函数里绑定参数:
<code>$name = 'BOB';
$password = 'badpass';
$stmt = $db->prepare("INSERT INTO table(`hexvalue`, `password`) VALUES(HEX(?), PASSWORD(?))");
$stmt->execute(array($name, $password));
</code>
但是不能作为LIKE的参数:
<code>//THIS DOES NOT WORK
$stmt = $db->prepare("SELECT field FROM table WHERE field LIKE %?%");
$stmt->bindParam(1, $search, PDO::PARAM_STR);
$stmt->execute();
</code>
正确使用LIKE并绑定参数的方法:
<code>$stmt = $db->prepare("SELECT field FROM table WHERE field LIKE ?");
$stmt->bindValue(1, "%$search%", PDO::PARAM_STR);
$stmt->execute();
</code>
注意:这里使用的是bindValue而不是bindParam,否则会发生PDOException或致命错误。
#使用循环运行预处理语句
预处理语句可以一次设置,多次调用,因为仅在第一次传入的时候编译,因此在后来的多次调用中提高了不少效率。
典型的应用就是bindParam,bindParam与bindValue的不同之处在于,它不是绑定了参数的值,而是绑定参数变量本身,因此,如果参数变量变化了,那么在execute处理的时候,查询也将相应变化。
<code>$values = array('bob', 'alice', 'lisa', 'john');
$name = '';
$stmt = $db->prepare("INSERT INTO table(`name`) VALUES(:name)");
$stmt->bindParam(':name', $name, PDO::PARAM_STR);
foreach($values as $name) {
$stmt->execute();
}
</code>
6.PDO中的事务(Transactions)
注意:调用beginTransaction()方法即自动关闭了自动提交。
<code>try {
$db->beginTransaction();
$db->exec("SOME QUERY");
$stmt = $db->prepare("SOME OTHER QUERY?");
$stmt->execute(array($value));
$stmt = $db->prepare("YET ANOTHER QUERY??");
$stmt->execute(array($value2, $value3));
$db->commit();
} catch(PDOException $ex) {
//Something went wrong rollback!
$db->rollBack();
echo $ex->getMessage();
}
</code>
原文链接:PDO Tutorial for MySQL Developers
参考链接:PDO Documentation
延伸阅读:Validation and SQL Injection
原文地址:PHP Memcached使用详解, 感谢原作者分享。
How does MySQL handle data replication?Apr 28, 2025 am 12:25 AMMySQL processes data replication through three modes: asynchronous, semi-synchronous and group replication. 1) Asynchronous replication performance is high but data may be lost. 2) Semi-synchronous replication improves data security but increases latency. 3) Group replication supports multi-master replication and failover, suitable for high availability requirements.
How can you use the EXPLAIN statement to analyze query performance?Apr 28, 2025 am 12:24 AMThe EXPLAIN statement can be used to analyze and improve SQL query performance. 1. Execute the EXPLAIN statement to view the query plan. 2. Analyze the output results, pay attention to access type, index usage and JOIN order. 3. Create or adjust indexes based on the analysis results, optimize JOIN operations, and avoid full table scanning to improve query efficiency.
How do you back up and restore a MySQL database?Apr 28, 2025 am 12:23 AMUsing mysqldump for logical backup and MySQLEnterpriseBackup for hot backup are effective ways to back up MySQL databases. 1. Use mysqldump to back up the database: mysqldump-uroot-pmydatabase>mydatabase_backup.sql. 2. Use MySQLEnterpriseBackup for hot backup: mysqlbackup--user=root-password=password--backup-dir=/path/to/backupbackup. When recovering, use the corresponding life
What are some common causes of slow queries in MySQL?Apr 28, 2025 am 12:18 AMThe main reasons for slow MySQL query include missing or improper use of indexes, query complexity, excessive data volume and insufficient hardware resources. Optimization suggestions include: 1. Create appropriate indexes; 2. Optimize query statements; 3. Use table partitioning technology; 4. Appropriately upgrade hardware.
What are views in MySQL?Apr 28, 2025 am 12:04 AMMySQL view is a virtual table based on SQL query results and does not store data. 1) Views simplify complex queries, 2) Enhance data security, and 3) Maintain data consistency. Views are stored queries in databases that can be used like tables, but data is generated dynamically.
What are the differences in syntax between MySQL and other SQL dialects?Apr 27, 2025 am 12:26 AMMySQLdiffersfromotherSQLdialectsinsyntaxforLIMIT,auto-increment,stringcomparison,subqueries,andperformanceanalysis.1)MySQLusesLIMIT,whileSQLServerusesTOPandOracleusesROWNUM.2)MySQL'sAUTO_INCREMENTcontrastswithPostgreSQL'sSERIALandOracle'ssequenceandt
What is MySQL partitioning?Apr 27, 2025 am 12:23 AMMySQL partitioning improves performance and simplifies maintenance. 1) Divide large tables into small pieces by specific criteria (such as date ranges), 2) physically divide data into independent files, 3) MySQL can focus on related partitions when querying, 4) Query optimizer can skip unrelated partitions, 5) Choosing the right partition strategy and maintaining it regularly is key.
How do you grant and revoke privileges in MySQL?Apr 27, 2025 am 12:21 AMHow to grant and revoke permissions in MySQL? 1. Use the GRANT statement to grant permissions, such as GRANTALLPRIVILEGESONdatabase_name.TO'username'@'host'; 2. Use the REVOKE statement to revoke permissions, such as REVOKEALLPRIVILEGESONdatabase_name.FROM'username'@'host' to ensure timely communication of permission changes.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Dreamweaver CS6
Visual web development tools
SublimeText3 Linux new version
SublimeText3 Linux latest version
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
Atom editor mac version download
The most popular open source editor
