If PHP does not use PDO, how to prevent injection when constructing SQL statements?
Can formatting strings be eliminated?
1
0
0
Can’t.
Be sure to escape special characters such as quotation marks and backtick marks.
Be sure to pay attention to the encoding of the database.
Be sure to filter for special encodings in statements.
pdo uses database parameter binding, so injection is avoided.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
