如何使用PDO清理输入? [英] How do I sanitize input with PDO?

问题描述

使用

Do I need to use mysql_real_escape_string() on my input (such as $_POST and $_GET) when I use the PDO library?

如何使用PDO正确地避开用户输入?

How do I properly escape user input with PDO?

推荐答案

如果使用PDO，则可以对查询进行参数化，从而无需转义任何包含的变量.

If you use PDO you can parametize your queries, removing the need to escape any included variables.

有关PDO的出色入门教程，请参见此处.

See here for a great introductory tutorial for PDO.

使用PDO，您可以使用准备好的语句将SQL和传递的参数分开，这消除了对转义字符串的需要，因为由于将两者分开保存，然后在执行时组合在一起，因此从上述来源自动将参数作为字符串处理:

Using PDO you can seperate the SQL and passed parameters using prepared statements, this removes the need to escape strings, as because the two are held seperately then combined at execution, the parameters are automatically handled as stings, from the above source:

   // where $dbh is your PDO connection

   $stmt = $dbh->prepare("SELECT * FROM animals WHERE animal_id = :animal_id AND animal_name = :animal_name");

   /*** bind the paramaters ***/
   $stmt->bindParam(':animal_id', $animal_id, PDO::PARAM_INT);
   $stmt->bindParam(':animal_name', $animal_name, PDO::PARAM_STR, 5);

   /*** execute the prepared statement ***/
   $stmt->execute();

注意:在变量绑定($stmt->bindParam)期间进行清理

Note: sanitization occurs during variable binding ($stmt->bindParam)

其他资源:

http ://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

http://www.phpeveryday.com/articles/PDO- Prepared-Statement-P550.html

http://php.net/manual/en/pdo.prepared- statement.php

这篇关于如何使用PDO清理输入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！