PDO quote method

后端未结

关注

 4  2131

时光说笑 2020-12-06 01:32

Where and when do you use the quote method in PDO? I\'m asking this in the light of the fact that in PDO, all quoting is done by the PDO object therefore no user input shoul

4条回答

心在旅途 (楼主)

2020-12-06 02:07

While this may not be the only use-case it's the only one I've needed quote for. You can only pass values using PDO_Stmt::execute, so for example this query wouldn't work:

SELECT * FROM tbl WHERE :field = :value

quote comes in so that you can do this:

// Example: filter by a specific column
$columns = array("name", "location");
$column = isset($columns[$_GET["col"]]) ? $columns[$_GET["col"]] : $defaultCol;

$stmt = $pdo->prepare("SELECT * FROM tbl WHERE " . $pdo->quote($column) . " = :value");
$stmt->execute(array(":value" => $value));

$stmt = $pdo->prepare("SELECT * FROM tbl ORDER BY " . $pdo->quote($column) . " ASC");

and still expect $column to be filtered safely in the query.

0 讨论(0)

查看其它4个回答