[TOC] ## PDO::quote 将字符串转义并加上引号，以便安全地在 SQL 查询中使用 PDO::quote 函数将字符串中的特殊字符（例如单引号、双引号和反斜杠）转换为它们的转义序列，并在开头和结尾添加单引号。这样可以确保 SQL 查询中的字符串不会被误解释为语句的一部分，从而避免 SQL 注入攻击 示例 ``` $name = "Alice"; $quoted_name = $pdo->quote($name); $sql = "SELECT * FROM users WHERE name = $quoted_name"; ``` ## 快速入门 ``` <?php // PDO + MySQL $pdo = new PDO('mysql:host=example.com;dbname=database', 'user', 'password'); $statement = $pdo->query("SELECT some_field FROM some_table"); $row = $statement->fetch(PDO::FETCH_ASSOC); echo htmlentities($row['some_field']); // PDO + SQLite $pdo = new PDO('sqlite:/path/db/foo.sqlite'); $statement = $pdo->query("SELECT some_field FROM some_table"); $row = $statement->fetch(PDO::FETCH_ASSOC); echo htmlentities($row['some_field']); ``` 高安全性 ``` $pdo = new PDO('sqlite:/path/db/users.db'); $stmt = $pdo->prepare('SELECT name FROM users WHERE id = :id'); $id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT); // <-- filter your data first (see [Data Filtering](#data_filtering)), especially important for INSERT, UPDATE, etc. $stmt->bindParam(':id', $id, PDO::PARAM_INT); // <-- Automatically sanitized for SQL by PDO $stmt->execute(); ```