PDO protection against SQL Injection

PDO protection against SQL Injection

<Span style = "font-size: 18px;"> <? Php $ dbh = new PDO ("mysql: host = localhost; dbname = demo", "user", "pass"); $ dbh-> setAttribute (PDO: ATTR_EMULATE_PREPARES, false); // disable the simulation effect of prepared statements $ dbh-> exec ("set names 'utf8'"); $ SQL = "select * from test where name =? And password =? "; // You can also use the format $ stmt = $ dbh-> prepare ($ SQL); $ exeres = $ stmt-> execute (array ($ testname, $ pass); if ($ exeres) {while ($ row = $ stmt-> fetch (PDO: FETCH_ASSOC) {print_r ($ row );}} $ dbh = null; // a few more words: & nbsp; When prepare () is called, the query statement has been sent to the database server, and there is only a placeholder? The data submitted by the user is not sent in the past. When the call is to execute (), the value submitted by the user is sent to the database. They are sent separately, and the two are independent, SQL attackers have no chance. But we need to pay attention to the following situations. PDO does not help you prevent SQL injection. 1. You cannot make placeholders? Replace a set of values, such as: SELECT * FROM blog WHERE userid IN (? ); 2. You cannot replace a placeholder with a data table name or column name, for example, SELECT * FROM blog order ?; 3. Can't you make placeholders? Replace any other SQL syntax, such as: SELECT EXTRACT (? FROM datetime_column) AS variable_datetime_element FROM blog; </span>