php-doc-en/reference/pgsql/functions/pg-query-params.xml

<?xml version="1.0" encoding="utf-8"?>
<!-- $Revision$ -->
<!-- splitted from ./en/functions/pgsql.xml, last change in rev 1.2 -->
<refentry xml:id="function.pg-query-params" xmlns="http://docbook.org/ns/docbook">
 <refnamediv>
  <refname>pg_query_params</refname>
  <refpurpose>Submits a command to the server and waits for the result, with the ability to pass parameters separately from the SQL command text.</refpurpose>
 </refnamediv>

 <refsect1 role="description">
  &reftitle.description;
  <methodsynopsis>
   <type>resource</type><methodname>pg_query_params</methodname>
   <methodparam choice="opt"><type>resource</type><parameter>connection</parameter></methodparam>
   <methodparam><type>string</type><parameter>query</parameter></methodparam>
   <methodparam><type>array</type><parameter>params</parameter></methodparam>
  </methodsynopsis>
  <para>
    Submits a command to the server and waits for the result, with the ability 
    to pass parameters separately from the SQL command text.
  </para>
  <para>
    <function>pg_query_params</function> is like <function>pg_query</function>, 
    but offers additional functionality: parameter 
    values can be specified separately from the command string proper. 
    <function>pg_query_params</function> is supported only against PostgreSQL 7.4 or
    higher connections; it will fail when using earlier versions.
  </para>
  <para>
    If parameters are used, they are referred to in the
    <parameter>query</parameter> string as $1, $2, etc. The same parameter may
    appear more than once in the <parameter>query</parameter>; the same value
    will be used in that case. <parameter>params</parameter> specifies the
    actual values of the parameters. A &null; value in this array means the
    corresponding parameter is SQL <literal>NULL</literal>.
  </para>
  <para>
    The primary advantage of <function>pg_query_params</function> over <function>pg_query</function> 
    is that parameter values 
    may be separated from the <parameter>query</parameter> string, thus avoiding the need for tedious 
    and error-prone quoting and escaping. Unlike <function>pg_query</function>, 
    <function>pg_query_params</function> allows at 
    most one SQL command in the given string. (There can be semicolons in it, 
    but not more than one nonempty command.)
  </para>
 </refsect1>

 <refsect1 role="parameters">
  &reftitle.parameters;
  <para>
   <variablelist>
    <varlistentry>
     <term><parameter>connection</parameter></term>
     <listitem>
      <para>
       PostgreSQL database connection resource.  When 
       <parameter>connection</parameter> is not present, the default connection 
       is used. The default connection is the last connection made by 
       <function>pg_connect</function> or <function>pg_pconnect</function>.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term><parameter>query</parameter></term>
     <listitem>
      <para>
       The parameterized SQL statement.  Must contain only a single statement.
       (multiple statements separated by semi-colons are not allowed.)  If any parameters 
       are used, they are referred to as $1, $2, etc.
      </para>
      <para>
       User-supplied values should always be passed as parameters, not
       interpolated into the query string, where they form possible
       <link linkend="security.database.sql-injection"> SQL injection</link>
       attack vectors and introduce bugs when handling data containing quotes.
       If for some reason you cannot use a parameter, ensure that interpolated
       values are <link  linkend="function.pg-escape-string">properly escaped</link>.
      </para>
     </listitem>
    </varlistentry>
    <varlistentry>
     <term><parameter>params</parameter></term>
     <listitem>
      <para>
        An array of parameter values to substitute for the $1, $2, etc. placeholders
        in the original prepared query string.  The number of elements in the array
        must match the number of placeholders.
      </para>
      <para>
       Values intended for <literal>bytea</literal> fields are not supported as
       parameters. Use <function>pg_escape_bytea</function> instead, or use the
       large object functions.
      </para>
     </listitem>
    </varlistentry>
   </variablelist>
  </para>
 </refsect1>

 <refsect1 role="returnvalues">
  &reftitle.returnvalues;
  <para>
    A query result resource on success&return.falseforfailure;.</para>
 </refsect1>
 
 <refsect1 role="examples">
  &reftitle.examples;
  <para>
   <example>
    <title>Using <function>pg_query_params</function></title>
    <programlisting role="php">
<![CDATA[
<?php
// Connect to a database named "mary"
$dbconn = pg_connect("dbname=mary");

// Find all shops named Joe's Widgets.  Note that it is not necessary to
// escape "Joe's Widgets"
$result = pg_query_params($dbconn, 'SELECT * FROM shops WHERE name = $1', array("Joe's Widgets"));

// Compare against just using pg_query
$str = pg_escape_string("Joe's Widgets");
$result = pg_query($dbconn, "SELECT * FROM shops WHERE name = '{$str}'");

?>
]]>
    </programlisting>
   </example>
  </para>
 </refsect1>
 
 <refsect1 role="seealso">
  &reftitle.seealso;
  <para>
   <simplelist>
    <member><function>pg_query</function></member>
   </simplelist>
  </para>
 </refsect1>
</refentry>

<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"~/.phpdoc/manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->