Database query escape
Permalink
Hi all,
Does I need to escape my datas befor insert / update or select statements in database or concrete5 do it automatically ?
What is the right way ?
Thank you !
Does I need to escape my datas befor insert / update or select statements in database or concrete5 do it automatically ?
What is the right way ?
Thank you !
Concrete5 does it automatically, through the adodb library.
Example:
More docs:http://phplens.com/lens/adodb/docs-adodb.htm...
Example:
$db = Loader::db(); $sql = "INSERT INTO YourTableName (integer_value, string_value) VALUES (?,?)"; $vals = array(123, "this is a string with \" special ' characters in it !%¤!#&½="); $db->query($sql, $vals);
More docs:http://phplens.com/lens/adodb/docs-adodb.htm...
Thanks for your answers.
Ok, but why in adodb doc, we see the use of qstr() and quote() method ?
Another question : what is the difference between $db->query() and $db->Execute(); ?
PS: I don't find query() and Execute() methods in libraries...
Thank you ^^
Ok, but why in adodb doc, we see the use of qstr() and quote() method ?
Another question : what is the difference between $db->query() and $db->Execute(); ?
PS: I don't find query() and Execute() methods in libraries...
Thank you ^^
qstr() and quote() methods are automatically called by adodb.
$db->Query() is only a wrapper function for $db->Execute(). It returns an error on unsuccessful execution unlike the $db->Execute() method itself. So, it's basically safer to use ->query().
By the way, mostly what you see in c5 is these functions called in lowercase, i.e. $db->query(). They both work but usually it's better to follow conventions so it makes your code more readable/understandable to others.
$db->Query() is only a wrapper function for $db->Execute(). It returns an error on unsuccessful execution unlike the $db->Execute() method itself. So, it's basically safer to use ->query().
By the way, mostly what you see in c5 is these functions called in lowercase, i.e. $db->query(). They both work but usually it's better to follow conventions so it makes your code more readable/understandable to others.
Thank you for this usefull answer ! :)
No problem! Say hi to Michel & Alexandre. ;)
(Any addon going through the PRB has to be done that way)