問題描述
當我使用 PDO 庫?
如何使用 PDO 正確轉義用戶輸入?
How do I properly escape user input with PDO?
推薦答案
如果您使用 PDO,您可以參數化您的查詢,無需轉義任何包含的變量.
If you use PDO you can parametize your queries, removing the need to escape any included variables.
請參閱此處,了解 PDO 的精彩介紹教程.
See here for a great introductory tutorial for PDO.
使用 PDO,您可以使用準備好的語句將 SQL 和傳遞的參數分開,這消除了對字符串進行轉義的需要,因為這兩者是分開保存的,然后在執行時組合,參數會自動作為字符串處理,來自上述來源:
Using PDO you can seperate the SQL and passed parameters using prepared statements, this removes the need to escape strings, as because the two are held seperately then combined at execution, the parameters are automatically handled as stings, from the above source:
// where $dbh is your PDO connection
$stmt = $dbh->prepare("SELECT * FROM animals WHERE animal_id = :animal_id AND animal_name = :animal_name");
/*** bind the paramaters ***/
$stmt->bindParam(':animal_id', $animal_id, PDO::PARAM_INT);
$stmt->bindParam(':animal_name', $animal_name, PDO::PARAM_STR, 5);
/*** execute the prepared statement ***/
$stmt->execute();
注意:在變量綁定期間進行清理 ($stmt->bindParam)
Note: sanitization occurs during variable binding ($stmt->bindParam)
其他資源:
http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
http://www.phpeveryday.com/articles/PDO-Prepared-Statement-P550.html
http://php.net/manual/en/pdo.prepared-聲明.php
這篇關于如何使用 PDO 清理輸入?的文章就介紹到這了,希望我們推薦的答案對大家有所幫助,也希望大家多多支持html5模板網!