如何在pdo中转义字符串?
我想知道如何在pdo中转义字符串. 我一直在像下面的代码中那样逃避弹簧,但是现在使用pdo我不知道该怎么做
I would like to know how to escape strings in pdo . I have been escaping the springs like in the code bellow but now with pdo I do not know how to do it
$username=(isset($_POST['username']))? trim($_POST['username']): '';
$previlage =(isset($_GET['previlage']));
$query ="SELECT * FROM site_user
WHERE username = '".mysql_real_escape_string($_SESSION['username'])."' AND previlage ='Admin'";
$security = mysql_query($query)or die (mysql_error($con));
$count = mysql_num_rows($security);
好,您可以使用 PDO :: quote ,但是,如其自己的文档页面所述...
Well, you can use PDO::quote, but, as said in its own docpage...
如果您正在使用此函数来构建SQL语句,则您 强烈建议使用 PDO :: prepare() 来准备SQL陈述 绑定参数,而不是使用PDO :: quote()进行插值 用户输入到SQL语句中.
If you are using this function to build SQL statements, you are strongly recommended to use PDO::prepare() to prepare SQL statements with bound parameters instead of using PDO::quote() to interpolate user input into an SQL statement.
在您的情况下,它看起来可能像这样:
In your case it can look like this:
$query = "SELECT *
FROM site_user
WHERE username = :username AND previlage = 'Admin'";
$sth = $dbh->prepare($query);
$sth->execute(array(':username' => $_SESSION['username']) );