PDO::quote

说明

PDO::quote() places quotes around the input string and escapes and single quotes within the input string. Quoting input strings has been a common means of attempting to prevent SQL injection attacks; however, an even safer approach is to use prepared statements with named parameters or placeholders for the input values.

Not all PDO drivers implement this method.

参数

返回值

Returns a quoted string that is theoretically safe to pass into an SQL statement.

例

例子 1. Quoting a normal string <?php $conn = new PDO('sqlite:/home/lynn/music.sql3'); /* Simple string */ $string = 'Nice'; print "Unquoted string: $string\n"; print "Quoted string: " . $conn->quote($string) . "\n"; ?> 上例将输出： Unquoted string: Nice Quoted string: 'Nice'

例子 2. Quoting a dangerous string <?php $conn = new PDO('sqlite:/home/lynn/music.sql3'); /* Dangerous string */ $string = 'Naughty \' string'; print "Unquoted string: $string\n"; print "Quoted string:" . $conn->quote($string) . "\n"; ?> 上例将输出： Unquoted string: Naughty ' string Quoted string: 'Naughty '' string'

例子 3. Quoting a complex string <?php $conn = new PDO('sqlite:/home/lynn/music.sql3'); /* Complex string */ $string = "Co'mpl''ex \"st'\"ring"; print "Unquoted string: $string\n"; print "Quoted string: " . $conn->quote($string) . "\n"; ?> 上例将输出： Unquoted string: Co'mpl''ex "st'"ring Quoted string: 'Co''mpl''''ex "st''"ring'

参见