问题
I have a class for database management, and one of my sub-classes (the one that defines a query) is defined like this (just a sample, many other functions are actually stripped for testing purposes):
namespace Tests\SQL\Arguments {
// SQL query
class Query {
public $attributes;
// constructor for this object
public function __construct() {
if ($arguments = func_get_args()) {
$this->attributes["query"] = current($arguments);
if (sizeof($arguments) > 1) {
$this->attributes["parameters"] = array_slice($arguments, 1, sizeof($arguments));
}
return $this;
}
}
}
$query = new Query("INSERT INTO `clients/history` (`date`,`client`,`ammount`,`status`) VALUES (?,?,?,?);", date("Y-m-d H:i:s"), 57, 17852.25, "A");
print_r($query);
}
As you can see, I automatically pick up the function arguments, so I can separate the query from its paremeters with ease at construction time. Apart from bulk INSERT/UPDATE/DELETE actions, I would like to provide some security, like preventing SQL injections and other things.
My question is... given this structure, when I pass this structure like (just a simple example, it will be run in a different way, but this one is valid for the time being):
$this->queries["clients/history"]->execute($this->attributes["query"], $this->attributes["parameters"]);
Will there be any different in using named parameters like (:date,:client,:ammount,:status) or using question mark parameters like (?,?,?,?)?
EDIT - Better explanation
Sorry for the (apparent) obscureness my question poses. My intention is to have a mechanism similar to sprintf but, instead of storing a string with all parameters composed into it, I just store the query and the parameters in a separate fashion.
This is just the Query class. There's also the QueryGroup class (for storing queries in groups), the Manager class (which stores and manages all database connections) and the Connection class (which is responsible for holding together all queries and query groups for a given database connection.
About the named parameters, I see no problem with the method I'm using, as this works, like I said, like the sprintf function. I'll be providing either question marks or the parameters' names in the query string.
I want to make a separation to provide addition filtering capabilities like escaping or quoting parameters to prevent some forms of injection or sabotage against a given database.
The execute() method I've exposed is just a paper-copy of PDO's execute() method. What I try to determine is if it's equally 'safe' to use named parameters or question mark parameters (or maybe there's some differences I'm not seeing there).
Any hint would be greatly appreciated :)
回答1:
The difference between named an unamed parameters is that with unnamed parameters you'll have to take care about the order in which they will be bound to the query.
Especially in your example unnamed params will fit very good as it eases the function call.
Further note that you won't need to call return $this; in a constructor method.
回答2:
In your case it should make no difference.
回答3:
Although there is no technical difference (as PDO will just replace named placeholders to question marks internally), there is a usability issue
For the sprintf-like function question marks seems a lot better solution. As they will let you to use indeed sprintf-style (dunno why you're creating a whole class for the query):
$query = new Query("SELECT * FROM t WHERE a=? AND b=?", $ida, $idb);
while with named it will be a lot more verbose
来源:https://stackoverflow.com/questions/15854797/pdo-statements-with-named-parameters-vs-question-mark-parameters