Escape arguments for PDO statements?
New to PDO - do I need to escape arguments I'm passing into a PDO prepared statement (such as the following):
$_GET['name'] = "O'Brady";
$sth = $dbh->prepare("INSERT INTO开发者_如何学C users SET name = :name");
$sth->bindParam(':name', $_GET['name']);
$sth->execute();
No. Neither do you need any quotation marks around text strings. Just pass in the variables as they are and the MySQL driver will take care of the rest.
The PDO will build the query in a safe manner so you won't need to escape it.
精彩评论