PDO防数据库注入的解决思路

 
//方式一:PDO::quote() 为SQL语句中的字符串添加引号或者转义特殊字符串,防止SQL注入
	$user= $pdo->quote($user);
	$sql="SELECT *FROM wuti_test WHERE name={$user} AND pass='{$pass}'";
	$stmt=$pdo->query($sql);
	$num=$stmt->rowCount();
	echo $num;
//方式二:PDO预处理---冒号占位符
	$sql="SELECT *FROM wuti_test WHERE name=:user AND pass=:pass";
	$stmt=$pdo->prepare($sql);
	$stmt->execute(array(":user"=>$user,":pass"=>$pass));
	echo $stmt->rowCount();

//方式三:PDO预处理---问号占位符
	$sql="SELECT *FROM wuti_test WHERE name=? AND pass=?";
	$stmt=$pdo->prepare($sql);
	$stmt->execute(array( $user, $pass));
	echo $stmt->rowCount();


你可能感兴趣的:(PHP,mysql,pdo)