Database query escape
Does I need to escape my datas befor insert / update or select statements in database or concrete5 do it automatically ?
What is the right way ?
Thank you !
(Any addon going through the PRB has to be done that way)
$db = Loader::db(); $sql = "INSERT INTO YourTableName (integer_value, string_value) VALUES (?,?)"; $vals = array(123, "this is a string with \" special ' characters in it !%¤!#&½="); $db->query($sql, $vals);
Ok, but why in adodb doc, we see the use of qstr() and quote() method ?
Another question : what is the difference between $db->query() and $db->Execute(); ?
PS: I don't find query() and Execute() methods in libraries...
Thank you ^^
$db->Query() is only a wrapper function for $db->Execute(). It returns an error on unsuccessful execution unlike the $db->Execute() method itself. So, it's basically safer to use ->query().
By the way, mostly what you see in c5 is these functions called in lowercase, i.e. $db->query(). They both work but usually it's better to follow conventions so it makes your code more readable/understandable to others.