Prepared Statements and SQL Injection
This question already has an answer here:
Simple answer, no. SQL injection involves inputting strings that are used as part of the SQL control itself rather than values for a part of the query. By parameterizing the query, you essentially cordon off the variable, which covers the cases protected by *_escape_string calls and is more secure.
链接地址: http://www.djcxy.com/p/93754.html上一篇: PDO是否准备了足够的语句
下一篇: 准备好的语句和SQL注入