PDO报价方式 [英] PDO quote method
问题描述
您在何时何地在PDO中使用quote方法?考虑到以下事实,我问这个问题:在PDO中,所有引用都是由PDO对象完成的,因此,不应对用户输入进行转义/引用等操作.这使人感到奇怪,如果不使用引用方法,为什么还要担心引用方法反正在准备好的陈述中?
Where and when do you use the quote method in PDO? I'm asking this in the light of the fact that in PDO, all quoting is done by the PDO object therefore no user input should be escaped/quoted etc. This makes one wonder why worry about a quote method if it's not gonna get used in a prepared statement anyway?
推荐答案
虽然这可能不是唯一的用例,但却是我唯一需要的quote
用例.您只能使用PDO_Stmt::execute
传递值,例如,该查询将不起作用:
While this may not be the only use-case it's the only one I've needed quote
for. You can only pass values using PDO_Stmt::execute
, so for example this query wouldn't work:
SELECT * FROM tbl WHERE :field = :value
quote
进入其中,因此您可以执行以下操作:
quote
comes in so that you can do this:
// Example: filter by a specific column
$columns = array("name", "location");
$column = isset($columns[$_GET["col"]]) ? $columns[$_GET["col"]] : $defaultCol;
$stmt = $pdo->prepare("SELECT * FROM tbl WHERE " . $pdo->quote($column) . " = :value");
$stmt->execute(array(":value" => $value));
$stmt = $pdo->prepare("SELECT * FROM tbl ORDER BY " . $pdo->quote($column) . " ASC");
,并且仍然希望在查询中对$column
进行安全过滤.
and still expect $column
to be filtered safely in the query.
这篇关于PDO报价方式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!