PDO语句中的转义值 [英] Escapeing values in PDO statements
本文介绍了PDO语句中的转义值的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
prepare()
是否不能在PDO语句中转义任何quotes(')
?由于某些原因,当我这样做时:
Doesn't prepare()
escape any quotes(')
in a PDO statement ? For some reason when I do this:
$sql = "INSERT INTO sessions (id, name) VALUES (1,'O'brian')";
$query = $this->connection->prepare($sql);
$query->execute();
我收到此错误:
Could not insert record SQLSTATE[42000]: [Microsoft][SQL Server Native Client 10.0][SQL Server]Incorrect syntax near 'brian'.
如果我使用prepare()
怎么办?
推荐答案
由于您没有在execute方法中传递值,因此不会自动为您转义该值.以下内容将为您逃脱:
Since you are not passing the value in the execute method, it will not be automatically escaped for you. The following would be escaped for you:
$sql = "INSERT INTO sessions (id, name) VALUES (1, ?)";
$query = $this->connection->prepare($sql);
$query->execute(array("O'brian"));
这篇关于PDO语句中的转义值的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文