我怎样才能避免mysql注入?这是我现在的PHP文件
<?php
include 'config.php';
$Name = $_GET['Name'] ;
$sql = "Select * from tables where names =\"$Name\"";
try {
$dbh = new PDO("mysql:host=$dbhost;dbname=$dbname", $dbuser, $dbpass);
$dbh->query('SET CHARACTER SET utf8');
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $dbh->query($sql);
$names = $stmt->fetchAll(PDO::FETCH_OBJ);
$dbh = null;
echo '{"key":'. json_encode($names) .'}';
} catch(PDOException $e) {
echo '{"error":{"text":'. $e->getMessage() .'}}';
}
?>
当我把$stmt = $dbh->query($sql); $stmt->execute(array(':name' => $name));它放到代码时,它不起作用.那我该怎么办呢?