PDO 语句的转义参数? [英] Escape arguments for PDO statements?

问题描述

PDO 新手 - 我是否需要转义我传递到 PDO 准备好的语句中的参数(例如以下):

New to PDO - do I need to escape arguments I'm passing into a PDO prepared statement (such as the following):

$_GET['name'] = "O'Brady";

$sth = $dbh->prepare("INSERT INTO users SET name = :name");
$sth->bindParam(':name', $_GET['name']);
$sth->execute();

推荐答案

没有.文本字符串周围也不需要任何引号.只需按原样传入变量，MySQL 驱动程序将负责其余的工作.

No. Neither do you need any quotation marks around text strings. Just pass in the variables as they are and the MySQL driver will take care of the rest.

这篇关于PDO 语句的转义参数?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！