PDO · PHP/Python/前端/Linux 等等學習筆記

[TOC] ## PDO::quote 將字符串轉義并加上引號，以便安全地在 SQL 查詢中使用 PDO::quote 函數將字符串中的特殊字符（例如單引號、雙引號和反斜杠）轉換為它們的轉義序列，并在開頭和結尾添加單引號。這樣可以確保 SQL 查詢中的字符串不會被誤解釋為語句的一部分，從而避免 SQL 注入攻擊示例 ``` $name = "Alice"; $quoted_name = $pdo->quote($name); $sql = "SELECT * FROM users WHERE name = $quoted_name"; ``` ## 快速入門 ``` <?php // PDO + MySQL $pdo = new PDO('mysql:host=example.com;dbname=database', 'user', 'password'); $statement = $pdo->query("SELECT some_field FROM some_table"); $row = $statement->fetch(PDO::FETCH_ASSOC); echo htmlentities($row['some_field']); // PDO + SQLite $pdo = new PDO('sqlite:/path/db/foo.sqlite'); $statement = $pdo->query("SELECT some_field FROM some_table"); $row = $statement->fetch(PDO::FETCH_ASSOC); echo htmlentities($row['some_field']); ``` 高安全性 ``` $pdo = new PDO('sqlite:/path/db/users.db'); $stmt = $pdo->prepare('SELECT name FROM users WHERE id = :id'); $id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT); // <-- filter your data first (see [Data Filtering](#data_filtering)), especially important for INSERT, UPDATE, etc. $stmt->bindParam(':id', $id, PDO::PARAM_INT); // <-- Automatically sanitized for SQL by PDO $stmt->execute(); ```