# Query > query($query) query [string] The SQL query. Return: [object] The PDOStatement object. ~~~ $User = M("User"); $User->query("CREATE TABLE table ( c1 INT STORAGE DISK, c2 INT STORAGE MEMORY ) ENGINE NDB;"); $data = $User->query("SELECT email FROM account")->fetchAll(); print_r($data); ~~~ PDO对象 ~~~ //$Model -> pdo $User = M("User"); $User->pdo->query("CREATE TABLE table ( c1 INT STORAGE DISK, c2 INT STORAGE MEMORY ) ENGINE NDB;"); $data = $User->pdo->query("SELECT email FROM account")->fetchAll(); print_r($data); ~~~ ## Quote 字符串转义 > quote($string) $string [string] 字符串. Return: [string] 可用于过滤字符串的SQL注入 ~~~ $User = M("User"); $string = 'Nice'; print "Unquoted string: $string\n"; print "Quoted string: " . $User->quote($string) . "\n"; 以上例程会输出: Unquoted string: Nice Quoted string: 'Nice' /* Dangerous string */ $string = 'Naughty \' string'; print "Unquoted string: $string\n"; print "Quoted string:" . $User->quote($string) . "\n"; 以上例程会输出: Unquoted string: Naughty ' string Quoted string: 'Naughty '' string' /* Complex string */ $string = "Co'mpl''ex \"st'\"ring"; print "Unquoted string: $string\n"; print "Quoted string: " . $User->quote($string) . "\n"; 以上例程会输出: Unquoted string: Co'mpl''ex "st'"ring Quoted string: 'Co''mpl''''ex "st''"ring' ~~~