If PHP does not use PDO, how to prevent injection when constructing SQL statements?
Can formatting strings be eliminated?
我想大声告诉你2017-06-22 11:56:34
Can’t.
Be sure to escape special characters such as quotation marks and backtick marks.
Be sure to pay attention to the encoding of the database.
Be sure to filter for special encodings in statements.
pdo uses database parameter binding, so injection is avoided.
