PDO防数据库注入的解决思路

 

//方式一：PDO::quote() 为SQL语句中的字符串添加引号或者转义特殊字符串,防止SQL注入
	$user= $pdo->quote($user);
	$sql="SELECT *FROM wuti_test WHERE name={$user} AND pass='{$pass}'";
	$stmt=$pdo->query($sql);
	$num=$stmt->rowCount();
	echo $num;

//方式二：PDO预处理---冒号占位符
	$sql="SELECT *FROM wuti_test WHERE name=:user AND pass=:pass";
	$stmt=$pdo->prepare($sql);
	$stmt->execute(array(":user"=>$user,":pass"=>$pass));
	echo $stmt->rowCount();

//方式三：PDO预处理---问号占位符
	$sql="SELECT *FROM wuti_test WHERE name=？ AND pass=？";
	$stmt=$pdo->prepare($sql);
	$stmt->execute(array( $user, $pass));
	echo $stmt->rowCount();