使用PHP插入MySQL时,我可以执行以下任一操作:
$query = 'INSERT INTO tablename SET id = "4"';
$query = "INSERT INTO tablename SET id = '4'";
$query = 'INSERT INTO tablename SET id = \'4\'';
$query = "INSERT INTO tablename SET id = \"4\"";
是否有理由(安全性,性能,代码可读性......)为什么我更应该选择其中一种呢?
答案 0 :(得分:0)
这取决于情况,在你的情况下它应该是:
$query = 'INSERT INTO tablename (id) VALUES (4)';
如果您想要插入一个整数和一个字符串,它应该是:
$query = "INSERT INTO tablename (id, name) VALUES (4, 'New York')";
如果您希望通过直接将变量插入查询来构建查询,则应该是:
$query = "INSERT INTO tablename (id, name) VALUES ($id, '$city')";
如果您希望使用例如PDO library来构建查询,那么它将是:
$query = 'INSERT INTO tablename (id, name) VALUES (:id, :city)';
答案 1 :(得分:0)
与Martin Bean提到的一样,使用准备好的陈述是个好主意:
$stmt = $con->prepare("INSERT INTO tablename SET id=?");
$stmt->bind_param(4);
$stmt->execute();
$stmt->close();
答案 2 :(得分:0)
我认为这是最常见的格式:
$query = "INSERT INTO tablename SET id = '4'";
因此,您可以轻松返回并执行变量扩展,如下所示:
$id = 4;
$table = "tablename";
$query = "INSERT INTO $table SET id = '$id'";
如果4是用户传入的内容,您将使用参数化查询并绑定参数以避免SQL注入:
$id = $_POST["id"];
$table = "tablename";
$stmt = $con->prepare("INSERT INTO $tablename SET id=:id");
$stmt->bindParam(":id", $id);
$stmt->execute();