php 如何在 pdo 中转义字符串?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/15091734/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to escape strings in pdo?
提问by Humphrey
I would like to know how to escape strings in pdo . I have been escaping the springs like in the code bellow but now with pdo I do not know how to do it
我想知道如何在 pdo 中转义字符串。我一直在像下面的代码一样逃离弹簧,但现在使用 pdo 我不知道该怎么做
$username=(isset($_POST['username']))? trim($_POST['username']): '';
$previlage =(isset($_GET['previlage']));
$query ="SELECT * FROM site_user
WHERE username = '".mysql_real_escape_string($_SESSION['username'])."' AND previlage ='Admin'";
$security = mysql_query($query)or die (mysql_error($con));
$count = mysql_num_rows($security);
回答by raina77ow
Well, you can use PDO::quote, but, as said in its own docpage...
好吧,您可以使用PDO::quote,但是,正如其自己的文档页面中所说...
If you are using this function to build SQL statements, you are strongly recommended to use PDO::prepare()to prepare SQL statements with bound parameters instead of using PDO::quote() to interpolate user input into an SQL statement.
如果您使用该函数来构建 SQL 语句,强烈建议您使用PDO::prepare()来准备带有绑定参数的 SQL 语句,而不是使用 PDO::quote() 将用户输入插入到 SQL 语句中。
In your case it can look like this:
在您的情况下,它可能如下所示:
$query = "SELECT *
FROM site_user
WHERE username = :username AND previlage = 'Admin'";
$sth = $dbh->prepare($query);
$sth->execute(array(':username' => $_SESSION['username']) );
