🔥码云GVP开源项目 12k star Uniapp+ElementUI 功能强大 支持多语言、二开方便! 广告
[TOC] ## PDO::quote 将字符串转义并加上引号,以便安全地在 SQL 查询中使用 PDO::quote 函数将字符串中的特殊字符(例如单引号、双引号和反斜杠)转换为它们的转义序列,并在开头和结尾添加单引号。这样可以确保 SQL 查询中的字符串不会被误解释为语句的一部分,从而避免 SQL 注入攻击 示例 ``` $name = "Alice"; $quoted_name = $pdo->quote($name); $sql = "SELECT * FROM users WHERE name = $quoted_name"; ``` ## 快速入门 ``` <?php // PDO + MySQL $pdo = new PDO('mysql:host=example.com;dbname=database', 'user', 'password'); $statement = $pdo->query("SELECT some_field FROM some_table"); $row = $statement->fetch(PDO::FETCH_ASSOC); echo htmlentities($row['some_field']); // PDO + SQLite $pdo = new PDO('sqlite:/path/db/foo.sqlite'); $statement = $pdo->query("SELECT some_field FROM some_table"); $row = $statement->fetch(PDO::FETCH_ASSOC); echo htmlentities($row['some_field']); ``` 高安全性 ``` $pdo = new PDO('sqlite:/path/db/users.db'); $stmt = $pdo->prepare('SELECT name FROM users WHERE id = :id'); $id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT); // <-- filter your data first (see [Data Filtering](#data_filtering)), especially important for INSERT, UPDATE, etc. $stmt->bindParam(':id', $id, PDO::PARAM_INT); // <-- Automatically sanitized for SQL by PDO $stmt->execute(); ```