addQ

See Also

qStr

Syntax
string addQ(
       string $unquotedText
       )

Description

The function addQ() takes an input string, and applies database specific string quoting. Unlike the method qStr, no pre or post quoting is applied.

This method is particularly useful when used with bind variable SQL statement execution, to produce injection resistant code.


Usage

$string = "Patrick O'Reilly";
 
$SQL = "SELECT * FROM names WHERE name='$string'";
 
$result = $db->execute($SQL);
 
/*
 * Execution fails  due to mismatched ` characters
*/
 
$qString = $db->addQ($string);
 
/*
 * function returns Patrick O\'Reilly (The resulting string is database-specific)
*/
 
$SQL = "SELECT * FROM names WHERE name='$qString'";
 
$result = $db->execute($SQL);
 
/*
 * Execution succeeds
 */

Using qStr With Bind

This example shows a completely database independent bind variable statement with special character escaping, providing strong resistance to SQL injection.

$p1 = $db->param('p1');
$p2 = $db->param('p2');
 
/*
* Provide internal escaping of ' characters
*/
$qStringField = $db->addQ($stringField);
 
$bind = array('p1'=>$integerField,
	      'p2'=>$qStringField);
 
$SQL = "SELECT *
	FROM some_table 
       WHERE integer_field=$p1
	 AND string_field=$p2";
 
$result = $db->execute($SQL,$bind);