ADOdb

Database Abstraction Layer for PHP

User Tools

Site Tools

Trace:
v5:reference:connection:addq

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
reference:addq [2016/01/07 04:07] mnewnhamv5:reference:connection:addq [2017/05/17 19:06] – [Usage] mnewnham
Line 3: Line 3:
 <WRAP right box> <WRAP right box>
 ==See Also== ==See Also==
-[[refrence:qStr()]]\\+[[v5:reference:connection:qstr]]\\
 == Syntax == == Syntax ==
   string addQ(   string addQ(
Line 11: Line 11:
 </WRAP> </WRAP>
 ==== Description ==== ==== Description ====
-The function ''addQ()'' takes an input string, and allows it to be:+The function ''addQ()'' takes an input string, and applies database specific string quoting. Unlike the method [[v5:reference:connection:qstr]], no pre or post quoting is applied. 
  
-  - Wrapped in single quotes.The value can then be used, for example in an SQL statement. +This method is particularly useful when used with [[v5:userguide:learn_bind:bind_vars|bind variable SQL statement execution]], to produce injection resistant code.
-  - Have quotes inside the string escaped in a way that is appropriate for the database. This is done wherever possible using PHP driver functions e.g. [[http://php.net/manual/en/mysqli.real-escape-string.php|MySQL real_escape_string]]. The second parameter, ''$dontFixQuotes'' stops any internal quoting happening, This parameter was mostly used in older versions of PHP when the now removed ''magic_quotes'' parameter was enabledand the 2 methods were in conflict+
  
 ------------------------------ ------------------------------
Line 29: Line 28:
 */ */
  
-$qString = $db->qStr($string);+$qString = $db->addQ($string);
  
 /* /*
Line 43: Line 42:
  */  */
 </code> </code>
 +==== Using qStr With Bind ====
 +This example shows a completely database independent bind variable statement with special character escaping, providing strong resistance to SQL injection.
 +<code php>
 +$p1 = $db->param('p1');
 +$p2 = $db->param('p2');
 +
 +/*
 +* Provide internal escaping of ' characters
 +*/
 +$qStringField = $db->addQ($stringField);
  
 +$bind = array('p1'=>$integerField,
 +       'p2'=>$qStringField);
 +
 +$SQL = "SELECT *
 + FROM some_table 
 +       WHERE integer_field=$p1
 + AND string_field=$p2";
 +
 +$result = $db->execute($SQL,$bind);
 +</code>
v5/reference/connection/addq.txt · Last modified: 2021/01/25 03:00 by mnewnham