For faster navigation, this Iframe is preloading the Wikiwand page for 參數化查詢.

參數化查詢

參數化查詢(parameterized query 或 parameterized statement)是指在設計與資料庫連結並存取資料時,在需要填入數值或資料的地方,使用參數(parameter)來給值,這個方法目前已被視為最有效可預防SQL注入攻击的攻擊手法的防禦方式。

除了安全因素,相比起拼接字符串的SQL语句,参数化的查询往往有性能优势。因为参数化的查询能令不同的数据通过参数到达数据库,从而共用同一条SQL语句。大多数数据库会缓存解释SQL语句产生的字节码而省下重复解析的开销。如果采取拼接字符串的SQL语句,则会由于操作数据是SQL语句的一部分而非参数的一部分,而反复大量解释SQL语句产生不必要的开销。

原理

在使用參數化查詢的情況下,資料庫伺服器不會將參數的內容視為SQL指令的一部份來處理,而是在資料庫完成SQL指令的編譯後,才套用參數執行,因此就算參數中含有具破壞性的指令,也不會被資料庫所執行。

SQL指令撰寫方法

在撰寫SQL指令時,利用參數來代表需要填入的數值,例如:

Microsoft SQL Server

Microsoft SQL Server的參數格式是以"@"字元加上參數名稱而成,SQL Server亦支援匿名參數"?"。 

 SELECT * FROM myTable WHERE myID = @myID

 INSERT INTO myTable (c1, c2, c3, c4) VALUES (@c1, @c2, @c3, @c4)

Microsoft Access

Microsoft Access不支援具名參數,只支援匿名參數"?"。 

 UPDATE myTable SET c1 = ?, c2 = ?, c3 = ? WHERE c4 = ?

MySQL

MySQL的參數格式是以"@"字元加上參數名稱而成。 

set @c1 := xxx;
set @c2 := xxx; 
set @c3 := xxx;
set @c4 := xxx;
UPDATE myTable SET c1 = @c1, c2 = @c2, c3 = @c3 WHERE c4 = @c4

PostgreSQL/SQLite

PostgreSQLSQLite的参数格式是以“:”加上参数名而成。当然,也支持类似Access的匿名参数。 

 UPDATE "myTable" SET "c1" = :c1, "c2" = :c2, "c3" = :c3 WHERE "c4" = :c4

用戶端程式撰寫方法

在用戶端程式碼中撰寫使用參數的程式碼,例如:

ADO.NET

ADO.NET用於ASP.NET之內。 

SqlCommand sqlcmd = new SqlCommand("INSERT INTO myTable (c1, c2, c3, c4) VALUES (@c1, @c2, @c3, @c4)", sqlconn);

sqlcmd.Parameters.AddWithValue("@c1", 1); // 設定參數@c1的值。
sqlcmd.Parameters.AddWithValue("@c2", 2); // 設定參數@c2的值。
sqlcmd.Parameters.AddWithValue("@c3", 3); // 設定參數@c3的值。
sqlcmd.Parameters.AddWithValue("@c4", 4); // 設定參數@c4的值。

sqlconn.Open();
sqlcmd.ExecuteNonQuery();
sqlconn.Close();

PDO

PDO用於PHP之內。在使用PDO驱动时,参数查询的使用方法一般为: 

// 实例化数据抽象层对象
$db = new PDO('pgsql:host=127.0.0.1;port=5432;dbname=testdb');
// 对SQL语句执行prepare,得到PDOStatement对象
$stmt = $db->prepare('SELECT * FROM "myTable" WHERE "id" = :id AND "is_valid" = :is_valid');
// 绑定参数
$stmt->bindValue(':id', $id);
$stmt->bindValue(':is_valid', true);
// 查询
$stmt->execute();
// 获取数据
foreach($stmt as $row) {
    var_dump($row);
}

对于MySQL的特定驱动,也可以这样使用: 

$db = new mysqli("localhost", "user", "pass", "database");
$stmt = $db -> prepare("SELECT priv FROM testUsers WHERE username=? AND password=?");
$stmt -> bind_param("ss", $user, $pass);
$stmt -> execute();

值得注意的是,以下方式虽然能有效防止SQL注入(归功于mysql_real_escape_string函数的转义),但并不是真正的参数化查询。其本质仍然是拼接字符串的SQL语句。 

$query = sprintf("SELECT * FROM Users where UserName='%s' and Password='%s'", 
                  mysql_real_escape_string($Username), 
                  mysql_real_escape_string($Password));
mysql_query($query);

ODBC/JDBC

ODBC 使用 C 样式的函数 / 句柄接口,而 JDBC 用於 Java 之內。 

//C/C++, Microsoft Windows ODBC
TCHAR szStatement[]=TEXT("select * from table where col1=?");
HSTMT hStmt;
SQLAllocHandle(SQL_HANDLE_STMT, hDBC, &sRet.hStmt);
SQLPrepare(hStmt, szStatement, SQL_NTS);
int iValue=5;
SQLLEN iLOI;
SQLBindParameter(hStmt, 1, SQL_PARAM_INPUT, SQL_C_LONG, SQL_INTEGER, sizeof(iValue), 0, &iValue, sizeof(iValue), &iLOI);
SQLExecute(hStmt);

//JDBC
java.sql.PreparedStatement prep = connection.prepareStatement(
                "SELECT * FROM users WHERE USERNAME = ? AND PASSWORD = ?");
prep.setString(1, username);
prep.setString(2, password);
prep.executeQuery();

Cold Fusion 

<cfquery name="Recordset1" datasource="cafetownsend">
SELECT *
FROM COMMENTS
WHERE COMMENT_ID =<cfqueryparam value="#URL.COMMENT_ID#" cfsqltype="cf_sql_numeric">
</cfquery>
概念
数据库组件
SQL
分类
指令
安全
实现
类型
数据库产品
  • 对象型
    • 对比
  • 关系型
数据库组件
{{bottomLinkPreText}} {{bottomLinkText}}
This page is based on a Wikipedia article written by contributors (read/edit).
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.
Cover photo is available under {{::mainImage.info.license.name || 'Unknown'}} license. Cover photo is available under {{::mainImage.info.license.name || 'Unknown'}} license. Credit: (see original file).
參數化查詢
Listen to this article

This browser is not supported by Wikiwand :(
Wikiwand requires a browser with modern capabilities in order to provide you with the best reading experience.
Please download and use one of the following browsers:

This article was just edited, click to reload
This article has been deleted on Wikipedia (Why?)

Back to homepage

Please click Add in the dialog above
Please click Allow in the top-left corner,
then click Install Now in the dialog
Please click Open in the download dialog,
then click Install
Please click the "Downloads" icon in the Safari toolbar, open the first download in the list,
then click Install
{{::$root.activation.text}}

Install Wikiwand

Install on Chrome Install on Firefox
Don't forget to rate us

Tell your friends about Wikiwand!

Gmail Facebook Twitter Link

Enjoying Wikiwand?

Tell your friends and spread the love:
Share on Gmail Share on Facebook Share on Twitter Share on Buffer

Our magic isn't perfect

You can help our automatic cover photo selection by reporting an unsuitable photo.

This photo is visually disturbing This photo is not a good choice

Thank you for helping!


Your input will affect cover photo selection, along with input from other users.

X

Get ready for Wikiwand 2.0 🎉! the new version arrives on September 1st! Don't want to wait?