PHP 原生查询性能与安全优化实战

在实际开发中，直接拼接 SQL 字符串是常见的隐患。下面这段代码展示了典型的查询逻辑，虽然功能上能跑通，但在安全性和性能上存在明显短板。

原始问题分析

观察以下实现方式：

// 井不为空时
if ($productId != '') {
    $data = $this->getQueryStatement($productId, $m_intSTime, $m_intETime)['query1'];
    return $this->getCommonValue($data);
} elseif ($productId == '') {
    $data = $this->getQueryStatement($productId, $m_intSTime, $m_intETime)['query2'];
    return $this->getCommonValue($data);
}

// 查询语句
private function getQueryStatement($productId, $m_intSTime, $m_intETime) {
    // 第一个查询语句
    $query1 = "SELECT a.SERIAL, a.COMMANDID, a.CELLID, a.USERID, a.LIBTIME, a.[RETURN], a.VALUE, a.USERALIAS, (SELECT NAME FROM system_index WHERE ID = a.CELLID) AS NAME FROM system_command AS a WHERE a.CELLID IN (SELECT ID FROM system_index WHERE PARENTID = '{$productId}') AND a.LIBTIME BETWEEN '{$m_intSTime}' AND ''";
    
     = ;
     [ => ,  => ];
}


 {
     = ->da->();
     (->strState == ) {
         = ->Data->(PDO::);
    }
    
     ( = ;  < (); ++) {
         = ;
         = ->da->();
         (->strState == ) {
             = ->Data->(PDO::);
        }
         ([][] === ) {
            [][] = [][];
        }  {
             = ;
             = ->da->();
             (->strState == ) {
                 = ->Data->(PDO::);
            }
            [][] = [][];
        }
    }
     ();
}

private function getQueryStatement($productId, $m_intSTime, $m_intETime) { // 使用占位符，避免注入 if (!empty($productId)) { $sql = "SELECT a.SERIAL, a.COMMANDID, a.CELLID, a.USERID, a.LIBTIME, a.[RETURN], a.VALUE, a.USERALIAS, (SELECT NAME FROM system_index WHERE ID = a.CELLID) AS NAME FROM system_command AS a WHERE a.CELLID IN (SELECT ID FROM system_index WHERE PARENTID = :pid) AND a.LIBTIME BETWEEN :start AND :end"; $params = ['pid' => $productId, 'start' => $m_intSTime, 'end' => $m_intETime]; } else { $sql = "SELECT a.SERIAL, a.COMMANDID, a.CELLID, a.USERID, a.LIBTIME, a.[RETURN], a.VALUE, a.USERALIAS, b.NAME FROM system_command AS a JOIN system_index AS b ON a.CELLID = b.ID WHERE a.LIBTIME BETWEEN :start AND :end"; $params = ['start' => $m_intSTime, 'end' => $m_intETime]; } return ['sql' => $sql, 'params' => $params]; } private function getCommonValue($data) { $stmt = $this->pdo->prepare($data['sql']); $stmt->execute($data['params']); $arrID = $stmt->fetchAll(PDO::FETCH_ASSOC); if (empty($arrID)) return json_encode([]); // 收集所有需要查询的 CELLID $cellIds = array_column($arrID, 'CELLID'); $placeholders = implode(',', array_fill(0, count($cellIds), '?')); // 一次性获取所有索引信息，替代循环查询 $indexSql = "SELECT ID, Name, PARENTID, TYPE FROM system_index WHERE ID IN ($placeholders)"; $indexStmt = $this->pdo->prepare($indexSql); $indexStmt->execute($cellIds); $indexMap = []; foreach ($indexStmt->fetchAll(PDO::FETCH_ASSOC) as $row) { $indexMap[$row['ID']] = $row; } // 内存中处理层级关系 foreach ($arrID as &$item) { $cellId = $item['CELLID']; if (isset($indexMap[$cellId])) { $info = $indexMap[$cellId]; if ($info['TYPE'] === '59') { $item['parent'] = $info['Name']; } else { $parentId = $info['PARENTID']; if (isset($indexMap[$parentId])) { $item['parent'] = $indexMap[$parentId]['Name']; } else { $item['parent'] = null; } } } } return json_encode($arrID); }

PHP 原生查询性能与安全优化实战