Database Abstraction Layer for PHP

User Tools

Site Tools


This is an old revision of the document!


See Also


string addQ(
       string $unquoted,
       optional bool $dontFixQuotes=false


The function addQ() takes an input string, and applies database specific string quoting. Unlike the method qStr, no pre or post quoting is applied.

This method is particularly useful when used with bind variable SQL statement execution, to produce injection resistant code.


$string = "Patrick O'Reilly";
$SQL = "SELECT * FROM names WHERE name='$string'";
$result = $db->Execute($SQL);
 * Execution fails  due to mismatched ` characters
$qString = $db->addQ($string);
 * function returns Patrick O\'Reilly (The resulting string is database-specific)
$SQL = "SELECT * FROM names WHERE name='$qString'";
$result = $db->Execute($SQL);
 * Execution Succeeds

Using qStr With Bind

This example shows a completely database independent bind variable statement with special character escaping, providing strong resistance to SQL injection.

$p1 = $db->param('p1');
$p2 = $db->param('p2');
* Provide internal escaping of ' characters
$qStringField = $db->addQ($stringField);
$bind = array('p1'=>$integerField,
	FROM some_table 
       WHERE integer_field=$p1
	 AND string_field=$p2";
$result = $db->execute($SQL,$bind);
v5/reference/connection/addq.1495040772.txt.gz · Last modified: 2017/05/17 19:06 by mnewnham