转义字符串

Question

I'm using PDO and was under the impression that prepare escaped apostrophes but I can see that isn't the case. what do I use to escape my strings for apostrophes?

---

$sql = 'SELECT test FROM test WHERE id = :id';
$sth = $dbh->prepare($sql);
$sth->execute(array(':id' => 1));
$red = $sth->fetchAll();

Answer 1

我不确定我是否理解您的问题，但这可能有助于PDO转义：

PDO::quote($data)

Answer 2

I Suspect you are not using preparred statements correctly, or there is something wrong with your code.

The docs specifically states:

The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).

Answer 3

I suspect that whilst you might be using a prepared statement, you are not binding parameters. For example, instead of

$val = "Some string with an a'postrophe in it";
$stmt = $pdo->prepare("UPDATE table SET col = '$val'");
$stmt->execute();

You should use

$val = "Some string with an a'postrophe in it";
$stmt = $pdo->prepare('UPDATE table SET col = :val');
$stmt->bindParam('val', $val);
$stmt->execute();

or at least

$val = "Some string with an a'postrophe in it";
$stmt = $pdo->prepare('UPDATE table SET col = :val');
$stmt->execute(array('val' => $val));

This is using named parameters but you can also use positional ones using ? as a placeholder