我看到大多数应用程序在PHP中生成查询时,为直接数据访问指定存储过程似乎很整洁.有什么理由避免使用存储过程吗?
I see most applications generating queries within PHP when it seems so much neater to designate stored procedures for direct data access. Is there any reason to avoid stored procedures?
推荐答案这几乎是一个宗教性的讨论,具体取决于您问的是谁.开发人员与应用之间存在微妙的平衡.在这种情况下,dbas必须和解.
This is almost a religious discussion depending on who you ask. There is a delicate balance that developers & dbas have to reconcile in these types of cases.
基本上,这是您真正想发挥作用的想法:
Basically here's the thinking you really want to put in play:
如果PHP代码使用动态SQL,则必须始终考虑防止SQL注入攻击的保护措施.输入的数据必须先清理后再放入数据库.
If PHP code is using dynamic SQL, protections against SQL injection attacks must be considered at all times. Inputs MUST be sanitized before putting to the database.
如果PHP代码使用动态SQL,但惯例是使用预备语句,那么您在某种程度上更安全,但是必须注意如何使用预备语句.
If PHP code is using dynamic SQL but the convention is to use prepared statements then you're safer to some degree but care must be taken in how the prepared statements are used.
如果PHP代码正在使用存储过程,则SQL的大部分控制将从开发人员中删除,并留给DBA与开发人员合作,以提供满足其需求的适当解决方案.不幸的是,这可能会花费大量时间和精力,并且会在开发/维护上来回移动.
If PHP code is using stored procedures, much of the control of the SQL is removed from the developer and left up to the DBA to work with the developers to provide an adequate solution that meets their needs. This unfortunately can cause much time and effort and going back and forth on development/maintenance.
这是一个灰色区域,其中有很多流派认为方程式的哪一边是正确的,因为它们都是从某些角度来看的.
It's one of those things that is a gray area and there are many schools of thought on which side of the equation is right because they both are from certain points of view.
更多推荐
是否有理由不对每个查询使用存储过程?
发布评论