Database query escape

Hi all,

Does I need to escape my datas befor insert / update or select statements in database or concrete5 do it automatically ?

What is the right way ?

Thank you !

View Replies: View Best Answer
JohntheFish replied on at Permalink Reply
If you use the C5 Loader::db() and put all your parameters in '?' then an array of the actual values, they are escaped form you.
(Any addon going through the PRB has to be done that way)
Mainio replied on at Permalink Best Answer Reply
Concrete5 does it automatically, through the adodb library.

$db = Loader::db();
$sql = "INSERT INTO YourTableName (integer_value, string_value) VALUES (?,?)";
$vals = array(123, "this is a string with \" special ' characters in it !%¤!#&½=");
$db->query($sql, $vals);

More docs:
kbsd replied on at Permalink Reply
Thanks for your answers.

Ok, but why in adodb doc, we see the use of qstr() and quote() method ?

Another question : what is the difference between $db->query() and $db->Execute(); ?

PS: I don't find query() and Execute() methods in libraries...

Thank you ^^
Mainio replied on at Permalink Reply
qstr() and quote() methods are automatically called by adodb.

$db->Query() is only a wrapper function for $db->Execute(). It returns an error on unsuccessful execution unlike the $db->Execute() method itself. So, it's basically safer to use ->query().

By the way, mostly what you see in c5 is these functions called in lowercase, i.e. $db->query(). They both work but usually it's better to follow conventions so it makes your code more readable/understandable to others.
kbsd replied on at Permalink Reply
Thank you for this usefull answer ! :)
Mainio replied on at Permalink Reply
No problem! Say hi to Michel & Alexandre. ;)