PDO语句的转义参数? [英] Escape arguments for PDO statements?

问题描述

PDO的新手-我是否需要转义要传递给PDO准备好的语句的参数(例如以下内容):

New to PDO - do I need to escape arguments I'm passing into a PDO prepared statement (such as the following):

$_GET['name'] = "O'Brady";

$sth = $dbh->prepare("INSERT INTO users SET name = :name");
$sth->bindParam(':name', $_GET['name']);
$sth->execute();

推荐答案

否.您也不需要在文本字符串周围使用任何引号.只需按原样传递变量，MySQL驱动程序就会处理其余的事情.

No. Neither do you need any quotation marks around text strings. Just pass in the variables as they are and the MySQL driver will take care of the rest.

这篇关于PDO语句的转义参数?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！