ADOdb

Database Abstraction Layer for PHP

User Tools

Site Tools


v5:reference:connection:addq

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
v5:reference:addq [2016/01/13 02:31] – ↷ Links adapted because of a move operation mnewnhamv5:reference:connection:addq [2021/01/25 03:00] (current) mnewnham
Line 3: Line 3:
 <WRAP right box> <WRAP right box>
 ==See Also== ==See Also==
-[[v5:reference:qstr]]\\+[[v5:reference:connection:qstr]]\\
 == Syntax == == Syntax ==
   string addQ(   string addQ(
-         string $unquoted, +         string $unquotedText
-         optional bool $dontFixQuotes=false+
          )          )
 </WRAP> </WRAP>
 ==== Description ==== ==== Description ====
-The function ''addQ()'' takes an input string, and applies database specific string quoting. Unlike the method [[v5:reference:qstr]], no pre or post quoting is applied. +The function ''addQ()'' takes an input string, and applies database specific string quoting. Unlike the method [[v5:reference:connection:qstr]], no pre or post quoting is applied.  
 + 
 +This method is particularly useful when used with [[v5:userguide:learn_bind:bind_vars|bind variable SQL statement execution]], to produce injection resistant code.
  
 ------------------------------ ------------------------------
Line 20: Line 21:
 $SQL = "SELECT * FROM names WHERE name='$string'"; $SQL = "SELECT * FROM names WHERE name='$string'";
  
-$result = $db->Execute($SQL);+$result = $db->execute($SQL);
  
 /* /*
Line 26: Line 27:
 */ */
  
-$qString = $db->qStr($string);+$qString = $db->addQ($string);
  
 /* /*
Line 34: Line 35:
 $SQL = "SELECT * FROM names WHERE name='$qString'"; $SQL = "SELECT * FROM names WHERE name='$qString'";
  
-$result = $db->Execute($SQL);+$result = $db->execute($SQL);
  
 /* /*
- * Execution Succeeds+ * Execution succeeds
  */  */
 </code> </code>
 +==== Using qStr With Bind ====
 +This example shows a completely database independent bind variable statement with special character escaping, providing strong resistance to SQL injection.
 +<code php>
 +$p1 = $db->param('p1');
 +$p2 = $db->param('p2');
 +
 +/*
 +* Provide internal escaping of ' characters
 +*/
 +$qStringField = $db->addQ($stringField);
  
 +$bind = array('p1'=>$integerField,
 +       'p2'=>$qStringField);
 +
 +$SQL = "SELECT *
 + FROM some_table 
 +       WHERE integer_field=$p1
 + AND string_field=$p2";
 +
 +$result = $db->execute($SQL,$bind);
 +</code>
v5/reference/connection/addq.1452648710.txt.gz · Last modified: 2017/04/21 11:37 (external edit)