通过perpare()方法和检查字段防sql注入.
$pdo=new PDO('mysql:host=localhost;dbname=scms', 'root' ); $_POST=array('title'=>23,'content'=>'kmm'); $keys= array_keys($_POST); /** * $filetarr数组用于规定只可以写入的字段 */ $filetarr=array('title','content'); $filtre=true; foreach ($keys as $value){ if(in_array($value, $filetarr,true)){ }else{ //var_dump($value); $filtre=false; break; } } if($filtre){ $fields=implode(',', $keys); $fieldszwh=':'.implode(',:', $keys); $sql="insert into article({$fields}) values({$fieldszwh})"; $pdostatement= $pdo->prepare($sql); $pdostatement->execute($_POST); var_dump($pdostatement->errorInfo()); }else{ echo '非法字段'; } |