参见英文答案 > How can I prevent SQL injection in PHP? 28个
迁移远离MysqL库后我正在使用PDO.我用什么来代替旧的real_escape_string函数?
我需要转义单引号,以便它们进入我的数据库,我认为可能有更好的方法来处理这个,而不添加(斜)所有字符串的斜杠.我该怎么用?
解决方法:
你应该使用PDO Prepare
从链接:
Calling PDO::prepare() and PDOStatement::execute() for statements that will be issued multiple times with different parameter values optimizes the performance of your application by allowing the driver to negotiate client and/or server side caching of the query plan and Meta information, and helps to prevent sql injection attacks by eliminating the need to manually quote the parameters.