使用PDO PHP的mysql_real_escape_string [英] mysql_real_escape_string with PDO PHP
问题描述
您好,我是PDO的新手,因此感到困惑和出现错误;)与mysql_real_escape_string ..
Hello i am new to PDO so getting confused and getting errors ;) with mysql_real_escape_string ..
可以帮忙,这是我的代码
can any one help, here is my code
if(!empty($_POST) && isset($_POST)) {
include ('connection_pdo.php');
$dbh = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);
$source_url= mysql_real_escape_string($_POST['source_url']);
$class = mysql_real_escape_string($_POST['class']);
$year = mysql_real_escape_string($_POST['year']);
$date = time();
$ip = $_SERVER['REMOTE_ADDR'];
$insert = $dbh->prepare("
INSERT IGNORE INTO school_students_images
( folder_name, image_url, source_url, class, year , date , ip )
VALUES (:folder_name, :image_url, :source_url, :class, :year, :date, :ip)
");
$a=0;
while ($a<1000){
$a++;
$insert->execute(array(
'folder_name'=> $name->content, //** geting from other source
'image_url' => $link[$a], //** geting from other source
'source_url' => $source_url,
'class' => $class ,
'year' => $year ,
'date' => $date,
'ip' => $ip
));
}
无法正常工作但出现错误,但是如果我不加使用
it not working getting error but if i am using it with-out
$source_url= ($_POST['source_url']);
$class = ($_POST['class']);
$year = ($_POST['year']);
$date = time();
$ip = $_SERVER['REMOTE_ADDR'];
它正在工作...所以我感到困惑,在没有mysql_real_escape_string的情况下可以安全地进行开机自检吗? (默认情况下,PDO是否提供任何安全性?)或者我在此过程中犯了一些错误... 请帮助
it is working ... so i am confused is it safe to POST without mysql_real_escape_string into database? (is PDO giving any security by default ?) or i am doing some mistake in this... please help
推荐答案
是的,PDO会自动转义数据,因此您无需使用mysql_real_escape_string
.请参见此处 , 例如.
Yes, PDO automatically escapes your data, so you don't need to use mysql_real_escape_string
. See here, for example.
这篇关于使用PDO PHP的mysql_real_escape_string的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!