What's the internals of a prepared statement like? [closed]

问题

Closed. This question needs details or clarity. It is not currently accepting answers.

---

Want to improve this question? Add details and clarify the problem by editing this post.

Closed 5 years ago.

Here's how bind_params seem to be preparing sql statements:

stmt = db.prepare( "select * from table where a=? and b=?" )
stmt.bind_params( 15, "hello" )

So in reality inside the stmt, we need to have map/array or something that will eventually map the arguments and create the right stmt. What's the most optimal way of doing this internally? Plus strings need extra precaution I imagine - the above will have to be mapped like "select * from table where a = 15 and b = \"hello\" ".

I looked into SQLite3 and OCI and they seem to be passing these to internal C code.

回答1:

I am trying to prepare the queries at the client side and send it to the server

If you're trying to do what it sounds like you're trying to do... don't try to do that.

That's not what a prepared statement is (or at least that isn't what it should be).

Your client code should not be trying to interpolate values into the query string in order to generate a "finished" query to send to the server for execution. That is a recipe for disaster, not to mention a false sense of security.

Prepared statements deliver the statement with ? placeholders to the server as-is, where the server "prepares" the statement for execution... and then the client send the parameters to the server ("binding" the parameters) for execution. Doing this, the server will never be confused as to "which part is the SQL" and "which part is the data," making sql injection impossible and making escaping and sanitizing the data unnecessary.

mysql_stmt_bind_param() is used to bind input data for the parameter markers in the SQL statement that was passed to mysql_stmt_prepare(). It uses MYSQL_BIND structures to supply the data. bind is the address of an array of MYSQL_BIND structures. The client library expects the array to contain one element for each ? parameter marker that is present in the query.

^{— http://dev.mysql.com/doc/refman/5.6/en/mysql-stmt-bind-param.html}

If you are not communicating directly with the C-API then you should be calling the methods in your library that expose those same functions to you.

来源：https://stackoverflow.com/questions/20034845/whats-the-internals-of-a-prepared-statement-like