如果应用程序独占地使用预处理语句,那么可以确保没有SQL入侵发生。
If your application exclusively USES prepared statements, you can be sure that no SQL injection will occur.
提供给预处理语句的参数不需要用引号括起来,驱动程序会处理这些。
The parameters to prepared statements don't need to be quoted; the driver handles it for you.
预处理语句是如此有用,以致pdo实际上打破了在目标4中设下的规则:如果驱动程序不支持预处理语句,那么P DO将仿真预处理语句。
Prepared statements are so useful that PDO actually breaks the rule set out in Goal number 4: if the driver doesn't support prepared statements, PDO will emulate them.
应用推荐