PDO报价方式 [英] PDO quote method

问题描述

您在何时何地在PDO中使用quote方法?考虑到以下事实，我问这个问题:在PDO中，所有引用都是由PDO对象完成的，因此，不应对用户输入进行转义/引用等操作.这使人感到奇怪，如果不使用引用方法，为什么还要担心引用方法反正在准备好的陈述中?

Where and when do you use the quote method in PDO? I'm asking this in the light of the fact that in PDO, all quoting is done by the PDO object therefore no user input should be escaped/quoted etc. This makes one wonder why worry about a quote method if it's not gonna get used in a prepared statement anyway?

推荐答案

虽然这可能不是唯一的用例，但却是我唯一需要的quote用例.您只能使用PDO_Stmt::execute传递值，例如，该查询将不起作用:

While this may not be the only use-case it's the only one I've needed quote for. You can only pass values using PDO_Stmt::execute, so for example this query wouldn't work:

SELECT * FROM tbl WHERE :field = :value

quote进入其中，因此您可以执行以下操作:

quote comes in so that you can do this:

// Example: filter by a specific column
$columns = array("name", "location");
$column = isset($columns[$_GET["col"]]) ? $columns[$_GET["col"]] : $defaultCol;

$stmt = $pdo->prepare("SELECT * FROM tbl WHERE " . $pdo->quote($column) . " = :value");
$stmt->execute(array(":value" => $value));

$stmt = $pdo->prepare("SELECT * FROM tbl ORDER BY " . $pdo->quote($column) . " ASC");

，并且仍然希望在查询中对$column进行安全过滤.

and still expect $column to be filtered safely in the query.

这篇关于PDO报价方式的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！