ADOdb

Database Abstraction Layer for PHP

User Tools

Site Tools

Trace:
v5:reference:connection:addq

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
reference:addq [2016/01/07 04:07] mnewnhamv5:reference:connection:addq [2021/01/25 03:00] (current) mnewnham
Line 3: Line 3:
 <WRAP right box> <WRAP right box>
 ==See Also== ==See Also==
-[[refrence:qStr()]]\\+[[v5:reference:connection:qstr]]\\
 == Syntax == == Syntax ==
   string addQ(   string addQ(
-         string $unquoted, +         string $unquotedText
-         optional bool $dontFixQuotes=false+
          )          )
 </WRAP> </WRAP>
 ==== Description ==== ==== Description ====
-The function ''addQ()'' takes an input string, and allows it to be:+The function ''addQ()'' takes an input string, and applies database specific string quoting. Unlike the method [[v5:reference:connection:qstr]], no pre or post quoting is applied. 
  
-  - Wrapped in single quotes.The value can then be used, for example in an SQL statement. +This method is particularly useful when used with [[v5:userguide:learn_bind:bind_vars|bind variable SQL statement execution]], to produce injection resistant code.
-  - Have quotes inside the string escaped in a way that is appropriate for the database. This is done wherever possible using PHP driver functions e.g. [[http://php.net/manual/en/mysqli.real-escape-string.php|MySQL real_escape_string]]. The second parameter, ''$dontFixQuotes'' stops any internal quoting happening, This parameter was mostly used in older versions of PHP when the now removed ''magic_quotes'' parameter was enabledand the 2 methods were in conflict+
  
 ------------------------------ ------------------------------
Line 23: Line 21:
 $SQL = "SELECT * FROM names WHERE name='$string'"; $SQL = "SELECT * FROM names WHERE name='$string'";
  
-$result = $db->Execute($SQL);+$result = $db->execute($SQL);
  
 /* /*
Line 29: Line 27:
 */ */
  
-$qString = $db->qStr($string);+$qString = $db->addQ($string);
  
 /* /*
Line 37: Line 35:
 $SQL = "SELECT * FROM names WHERE name='$qString'"; $SQL = "SELECT * FROM names WHERE name='$qString'";
  
-$result = $db->Execute($SQL);+$result = $db->execute($SQL);
  
 /* /*
- * Execution Succeeds+ * Execution succeeds
  */  */
 </code> </code>
 +==== Using qStr With Bind ====
 +This example shows a completely database independent bind variable statement with special character escaping, providing strong resistance to SQL injection.
 +<code php>
 +$p1 = $db->param('p1');
 +$p2 = $db->param('p2');
 +
 +/*
 +* Provide internal escaping of ' characters
 +*/
 +$qStringField = $db->addQ($stringField);
  
 +$bind = array('p1'=>$integerField,
 +       'p2'=>$qStringField);
 +
 +$SQL = "SELECT *
 + FROM some_table 
 +       WHERE integer_field=$p1
 + AND string_field=$p2";
 +
 +$result = $db->execute($SQL,$bind);
 +</code>
v5/reference/connection/addq.txt · Last modified: 2021/01/25 03:00 by mnewnham