使用PHP插入MySQL时,我可以执行以下任一操作:
$query = 'INSERT INTO tablename SET id = "4"';
$query = "INSERT INTO tablename SET id = '4'";
$query = 'INSERT INTO tablename SET id = ''4''';
$query = "INSERT INTO tablename SET id = '"4'"";
有没有原因(安全性、性能、代码可读性…)让我更喜欢其中一个?
我认为这是最常见的格式:
$query = "INSERT INTO tablename SET id = '4'";
所以,你可以很容易地回来执行这样的变量扩展:
$id = 4;
$table = "tablename";
$query = "INSERT INTO $table SET id = '$id'";
如果4是用户传入的,那么您应该使用参数化查询并绑定参数以避免SQL注入:
$id = $_POST["id"];
$table = "tablename";
$stmt = $con->prepare("INSERT INTO $tablename SET id=:id");
$stmt->bindParam(":id", $id);
$stmt->execute();
就像Martin Bean提到的那样,使用准备好的语句是个好主意:
$stmt = $con->prepare("INSERT INTO tablename SET id=?");
$stmt->bind_param(4);
$stmt->execute();
$stmt->close();
这取决于情况,在您的情况下应该是:
$query = 'INSERT INTO tablename (id) VALUES (4)';
如果你想插入一个整数和一个字符串,它应该是:
$query = "INSERT INTO tablename (id, name) VALUES (4, 'New York')";
如果您想通过直接在查询中插入变量来构建查询,那么它应该是:
$query = "INSERT INTO tablename (id, name) VALUES ($id, '$city')";
- 构建这样的查询容易产生SQL注入
若您想通过使用例如PDO库来构建查询,它将是:
$query = 'INSERT INTO tablename (id, name) VALUES (:id, :city)';