====== addQ ======
~~NOTOC~~
==See Also==
[[v5:reference:connection:qstr]]\\
== Syntax ==
string addQ(
string $unquotedText
)
==== Description ====
The function ''addQ()'' takes an input string, and applies database specific string quoting. Unlike the method [[v5:reference:connection:qstr]], no pre or post quoting is applied.
This method is particularly useful when used with [[v5:userguide:learn_bind:bind_vars|bind variable SQL statement execution]], to produce injection resistant code.
------------------------------
==== Usage ====
$string = "Patrick O'Reilly";
$SQL = "SELECT * FROM names WHERE name='$string'";
$result = $db->execute($SQL);
/*
* Execution fails due to mismatched ` characters
*/
$qString = $db->addQ($string);
/*
* function returns Patrick O\'Reilly (The resulting string is database-specific)
*/
$SQL = "SELECT * FROM names WHERE name='$qString'";
$result = $db->execute($SQL);
/*
* Execution succeeds
*/
==== Using qStr With Bind ====
This example shows a completely database independent bind variable statement with special character escaping, providing strong resistance to SQL injection.
$p1 = $db->param('p1');
$p2 = $db->param('p2');
/*
* Provide internal escaping of ' characters
*/
$qStringField = $db->addQ($stringField);
$bind = array('p1'=>$integerField,
'p2'=>$qStringField);
$SQL = "SELECT *
FROM some_table
WHERE integer_field=$p1
AND string_field=$p2";
$result = $db->execute($SQL,$bind);