PDO语句中的转义值 [英] Escapeing values in PDO statements

问题描述

prepare()是否不能在PDO语句中转义任何quotes(')?由于某些原因，当我这样做时:

Doesn't prepare() escape any quotes(') in a PDO statement ? For some reason when I do this:

$sql = "INSERT INTO sessions (id, name) VALUES (1,'O'brian')";
$query = $this->connection->prepare($sql);
$query->execute();

我收到此错误:

Could not insert record SQLSTATE[42000]: [Microsoft][SQL Server Native Client 10.0][SQL Server]Incorrect syntax near 'brian'.

如果我使用prepare()怎么办?

推荐答案

由于您没有在execute方法中传递值，因此不会自动为您转义该值.以下内容将为您逃脱:

Since you are not passing the value in the execute method, it will not be automatically escaped for you. The following would be escaped for you:

$sql = "INSERT INTO sessions (id, name) VALUES (1, ?)";
$query = $this->connection->prepare($sql);
$query->execute(array("O'brian"));

这篇关于PDO语句中的转义值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！