一:pdo
提供给预处理语句的参数不需要用引号括起来,驱动程序会自动处理。如果应用程序只使用预处理语句,可以确保不会发生SQL 注入。(然而,如果查询的其他部分是由未转义的输入来构建的,则仍存在 SQL 注入的风险)。
预处理语句如此有用,以至于它们唯一的特性是在驱动程序不支持的时PDO 将模拟处理。这样可以确保不管数据库是否具有这样的功能,都可以确保应用程序可以用相同的数据访问模式。
?模拟后是否可以防止sql注入
注意:pdo中的dsn区分大小写,需要用小写
The PDO connection is case-sensitive, this means that you cannot write
`$PDO = new PDO("MySQL:DBName=dbname;host=localhost");`
You would have to write it
`$PDO = new PDO("mysql:dbname=dbname;host=localhost");`
The difference here is that `mysql` and `dbname` is with all lower-case.
Some IDE's like PHPStorm will show a `TYPO ERROR`, at `dbname` if it's written with lower-case only, this is just to be ignored and have been reported to PHPStorm for them to fix. (Currrent version 10.0.2)
二: