MySQL PDO preprocessing can prevent SQL injection because:
1, first look at the pre-processing syntax
$pdo->prepare (' select * from Biao1 where Id=:id ');
$pdo->execute ([': Id ' =>4]);
2, statement One, the server sends a SQL to the MySQL server, the MySQL server will parse this SQL.
Statement two, the server sends a SQL to the MySQL server, the MySQL server will not parse the SQL, only execute parameters as a pure parameter assignment to statement one. Even SQL commands in the parameters are not executed to prevent SQL injection.
See figure:
Normal SQL, a direct SQL statement execution, the Web server itself pieced together SQL, it is possible to put the dangerous SQL statements together.
PDO SQL, let the MySQL server itself, even if there are dangerous statements, will only be treated as parameters, will not be executed.
Note: In order for the MySQL server to cobble together SQL instead of Web server to piece together, you must add a parameter when creating the PDO object:
This parameter is called analog prepare, the default is true, meaning that the Web server instead of MySQL to do prepare, to achieve the role of analog prepare. (Web server implementation of the principle of simulation prepare is actually the underlying use of system functions to put together the SQL, and manual patchwork no difference, so still will be a dangerous SQL piece, and then to the MySQL server execution, will still be SQL injection)
Therefore, it must be set to false.
$This->_pdo->setattribute (Pdo::attr_emulate_prepares, FALSE);
Pdo::attr_emulate_prepares
When the parameter is true, even if you call the PDO function such as prepare,execute, the bottom layer is still the same as the normal MySQL, send a webserver piece of SQL statement to MySQL server directly.
Pdo::attr_emulate_prepares
When set to False, the Prepare,execute is actually executed,
MySQL PDO preprocessing can prevent SQL injection