(第二行中有一个bug；该字符串未终止.在末尾添加");，您应该就可以了.当然，在获得任何结果之前，您还需要提供替换问号的值，然后实际运行查询.)

(There's a bug in the 2nd line; the string isn't terminated. Add a "); to the end, and you should be ok. It's on the page you linked to as well, so its their fault. You of course also need to supply the values that'll substitute the question marks, and then actually run the query, before you get any results.)

无论如何，要点. PDO查找?或:name标记，并将它们(分别按顺序或按名称)替换为您指定的值.将值插入查询字符串后，将首先对它们进行处理，以转义可用于注入攻击的所有内容.

Anyway, to the point. PDO looks for the ? or :name markers, and replaces them (in order or by name, respectively) with the values you specify. When the values are inserted into the query string, they're first processed to escape anything that could be used for injection attacks.

这类似于在查询中使用值之前对值使用mysql_real_escape_string()(或更弱的addslashes())，但是PDO会自动执行并且效果更好.

It's similar to using mysql_real_escape_string() (or the weaker addslashes()) on a value before using it in a query, but PDO does it automatically and is better at it.