PDO 语句中的转义值
prepare() 不会转义 PDO 语句中的任何 quotes(') 吗?由于某种原因,当我这样做时:
$sql = "INSERT INTO sessions (id, name) VALUES (1,'O'brian')";
$query = $this->connection->prepare($sql);
$query->execute();
我收到此错误:
Could not insert record SQLSTATE[42000]: [Microsoft][SQL Server Native Client 10.0][SQL Server]Incorrect syntax near 'brian'.
如果我使用 prepare() ,这怎么可能?
Doesn't prepare() escape any quotes(') in a PDO statement ? For some reason when I do this:
$sql = "INSERT INTO sessions (id, name) VALUES (1,'O'brian')";
$query = $this->connection->prepare($sql);
$query->execute();
I get this error:
Could not insert record SQLSTATE[42000]: [Microsoft][SQL Server Native Client 10.0][SQL Server]Incorrect syntax near 'brian'.
How could this be if I'm using prepare() ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
由于您没有在执行方法中传递值,因此它不会自动为您转义。以下内容将为您转义:
Since you are not passing the value in the execute method, it will not be automatically escaped for you. The following would be escaped for you:
不。事实上,PDO 根本没有进行转义。重点是使用绑定参数,因此,不需要转义字符。
No. In fact, there is no escaping being done by PDO at all. The whole point is to use bound parameters, therefore, no characters need to be escaped.