ADOdb

Database Abstraction Layer for PHP

User Tools

Site Tools

Trace:
v5:reference:connection:addq

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
reference:addq [2016/01/07 04:07] mnewnhamv5:reference:connection:addq [2018/07/16 19:40] – start functions lowercase peterdd
Line 3: Line 3:
 <WRAP right box> <WRAP right box>
 ==See Also== ==See Also==
-[[refrence:qStr()]]\\+[[v5:reference:connection:qstr]]\\
 == Syntax == == Syntax ==
   string addQ(   string addQ(
Line 11: Line 11:
 </WRAP> </WRAP>
 ==== Description ==== ==== Description ====
-The function ''addQ()'' takes an input string, and allows it to be:+The function ''addQ()'' takes an input string, and applies database specific string quoting. Unlike the method [[v5:reference:connection:qstr]], no pre or post quoting is applied. 
  
-  - Wrapped in single quotes.The value can then be used, for example in an SQL statement. +This method is particularly useful when used with [[v5:userguide:learn_bind:bind_vars|bind variable SQL statement execution]], to produce injection resistant code.
-  - Have quotes inside the string escaped in a way that is appropriate for the database. This is done wherever possible using PHP driver functions e.g. [[http://php.net/manual/en/mysqli.real-escape-string.php|MySQL real_escape_string]]. The second parameter, ''$dontFixQuotes'' stops any internal quoting happening, This parameter was mostly used in older versions of PHP when the now removed ''magic_quotes'' parameter was enabledand the 2 methods were in conflict+
  
 ------------------------------ ------------------------------
Line 23: Line 22:
 $SQL = "SELECT * FROM names WHERE name='$string'"; $SQL = "SELECT * FROM names WHERE name='$string'";
  
-$result = $db->Execute($SQL);+$result = $db->execute($SQL);
  
 /* /*
Line 29: Line 28:
 */ */
  
-$qString = $db->qStr($string);+$qString = $db->addQ($string);
  
 /* /*
Line 37: Line 36:
 $SQL = "SELECT * FROM names WHERE name='$qString'"; $SQL = "SELECT * FROM names WHERE name='$qString'";
  
-$result = $db->Execute($SQL);+$result = $db->execute($SQL);
  
 /* /*
- * Execution Succeeds+ * Execution succeeds
  */  */
 </code> </code>
 +==== Using qStr With Bind ====
 +This example shows a completely database independent bind variable statement with special character escaping, providing strong resistance to SQL injection.
 +<code php>
 +$p1 = $db->param('p1');
 +$p2 = $db->param('p2');
 +
 +/*
 +* Provide internal escaping of ' characters
 +*/
 +$qStringField = $db->addQ($stringField);
  
 +$bind = array('p1'=>$integerField,
 +       'p2'=>$qStringField);
 +
 +$SQL = "SELECT *
 + FROM some_table 
 +       WHERE integer_field=$p1
 + AND string_field=$p2";
 +
 +$result = $db->execute($SQL,$bind);
 +</code>
v5/reference/connection/addq.txt · Last modified: 2021/01/25 03:00 by mnewnham