PHP Manual
后退前进


PDO::quote

(no version information, might be only in CVS)

PDO::quote --  Quotes a string for use in a query.

说明

string PDO::quote ( string string [, int parameter_type] )

警告

本函数是实验性的。本函数的行为,包括函数名称以及其它任何关于本函数的文档可能会在没有通知的情况下随 PHP 以后的发布而改变。使用本函数风险自担。

PDO::quote() places quotes around the input string and escapes and single quotes within the input string. Quoting input strings has been a common means of attempting to prevent SQL injection attacks; however, an even safer approach is to use prepared statements with named parameters or placeholders for the input values.

Not all PDO drivers implement this method.

参数

string

The string to be quoted.

parameter_type

Provides a data type hint for drivers that have alternate quoting styles. The default value is PDO_PARAM_STR.

返回值

Returns a quoted string that is theoretically safe to pass into an SQL statement.

例子 1. Quoting a normal string

<?php
$conn = new PDO('sqlite:/home/lynn/music.sql3');

/* Simple string */
$string = 'Nice';
print "Unquoted string: $string\n";
print "Quoted string: " . $conn->quote($string) . "\n";
?>

上例将输出:

Unquoted string: Nice
Quoted string: 'Nice'

例子 2. Quoting a dangerous string

<?php
$conn = new PDO('sqlite:/home/lynn/music.sql3');

/* Dangerous string */
$string = 'Naughty \' string';
print "Unquoted string: $string\n";
print "Quoted string:" . $conn->quote($string) . "\n";
?>

上例将输出:

Unquoted string: Naughty ' string
Quoted string: 'Naughty '' string'

例子 3. Quoting a complex string

<?php
$conn = new PDO('sqlite:/home/lynn/music.sql3');

/* Complex string */
$string = "Co'mpl''ex \"st'\"ring";
print "Unquoted string: $string\n";
print "Quoted string: " . $conn->quote($string) . "\n";
?>

上例将输出:

Unquoted string: Co'mpl''ex "st'"ring
Quoted string: 'Co''mpl''''ex "st''"ring'

参见

PDO::prepare()
PDOStatement::execute()



后退起点前进
PDO::query上一级PDO::rollBack