Document PDO::quote() (within 24 hours of it being added to PDO -- hurray!)

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@179435 c90b9560-bf6c-de11-be94-00142212c4b1
2025-03-16 08:58:56 +00:00 · 2005-02-10 04:30:50 +00:00 · 2005-02-10 04:30:50 +00:00 · 1826d890cd
commit 1826d890cd
parent 5c045cd687
2 changed files with 182 additions and 1 deletions
--- a/reference/pdo/functions/PDO-quote.xml
+++ b/reference/pdo/functions/PDO-quote.xml
@ -0,0 +1,177 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!-- $Revision: 1.1 $ -->
+<!-- Generated by xml_proto.php v2.2. Found in /scripts directory of phpdoc. -->
+<refentry id="function.PDO-quote">
+ <refnamediv>
+  <refname>PDO::quote</refname>
+  <refpurpose>
+   Quotes a string for use in a query.
+  </refpurpose>
+ </refnamediv>
+ <refsect1 role="description">
+  &reftitle.description;
+  <methodsynopsis>
+   <type>string</type><methodname>PDO::quote</methodname>
+   <methodparam><type>string</type><parameter>string</parameter></methodparam>
+   <methodparam choice="opt"><type>int</type><parameter>parameter_type</parameter></methodparam>
+  </methodsynopsis>
+
+  &warn.experimental.func;
+
+  <para>
+   <function>PDO::quote</function> places quotes around the input
+   string and escapes and single quotes within the input string.
+   Quoting input strings has been a common means of attempting to
+   prevent SQL injection attacks; however, an even safer approach
+   is to use prepared statements with named parameters or placeholders
+   for the input values.
+  </para>
+  <para>
+   Not all PDO drivers implement this method.
+  </para>
+ </refsect1>
+ <refsect1 role="parameters">
+  &reftitle.parameters;
+  <para>
+   <variablelist>
+    <varlistentry>
+     <term><parameter>string</parameter></term>
+      <listitem>
+       <para>
+        The string to be quoted.
+       </para>
+      </listitem>
+     </varlistentry>
+    <varlistentry>
+     <term><parameter>parameter_type</parameter></term>
+      <listitem>
+       <para>
+        Provides a data type hint for drivers that have alternate quoting styles.
+        The default value is PDO_PARAM_STR.
+       </para>
+      </listitem>
+     </varlistentry>
+   </variablelist>
+  </para>
+ </refsect1>
+ <refsect1 role="returnvalues">
+  &reftitle.returnvalues;
+  <para>
+   Returns a quoted string that is theoretically safe to pass into an
+   SQL statement.
+  </para>
+ </refsect1>
+
+ <!-- Use when EXCEPTIONS exist
+ <refsect1 role="exceptions">
+  &reftitle.exceptions;
+  <para>
+   When does this function throw exceptions?
+  </para>
+ </refsect1>
+ -->
+
+ <refsect1 role="examples">
+  &reftitle.examples;
+  <para>
+   <example>
+    <title>Quoting a normal string</title>
+    <programlisting role="php">
+<![CDATA[
+<?php
+$conn = new PDO('sqlite:/home/lynn/music.sql3');
+
+/* Simple string */
+$string = 'Nice';
+print "Unquoted string: $string\n";
+print "Quoted string: " . $conn->quote($string) . "\n";
+?>
+]]>
+    </programlisting>
+    &example.outputs;
+    <screen>
+<![CDATA[
+Unquoted string: Nice
+Quoted string: 'Nice'
+]]>
+    </screen>
+   </example>
+   <example>
+    <title>Quoting a dangerous string</title>
+    <programlisting role="php">
+<![CDATA[
+<?php
+$conn = new PDO('sqlite:/home/lynn/music.sql3');
+
+/* Dangerous string */
+$string = 'Naughty \' string';
+print "Unquoted string: $string\n";
+print "Quoted string:" . $conn->quote($string) . "\n";
+?>
+]]>
+    </programlisting>
+    &example.outputs;
+    <screen>
+<![CDATA[
+Unquoted string: Naughty ' string
+Quoted string: 'Naughty '' string'
+]]>
+    </screen>
+   </example>
+   <example>
+    <title>Quoting a complex string</title>
+    <programlisting role="php">
+<![CDATA[
+<?php
+$conn = new PDO('sqlite:/home/lynn/music.sql3');
+
+/* Complex string */
+$string = "Co'mpl''ex \"st'\"ring";
+print "Unquoted string: $string\n";
+print "Quoted string: " . $conn->quote($string) . "\n";
+?>
+]]>
+    </programlisting>
+    &example.outputs;
+    <screen>
+<![CDATA[
+Unquoted string: Co'mpl''ex "st'"ring
+Quoted string: 'Co''mpl''''ex "st''"ring'
+]]>
+    </screen>
+   </example>
+  </para>
+ </refsect1>
+
+ <refsect1 role="seealso">
+  &reftitle.seealso;
+  <para>
+   <simplelist>
+    <member><function>PDO::prepare</function></member>
+    <member><function>PDOStatement::execute</function></member>
+   </simplelist>
+  </para>
+ </refsect1>
+
+</refentry>
+
+<!-- Keep this comment at the end of the file
+Local variables:
+mode: sgml
+sgml-omittag:t
+sgml-shorttag:t
+sgml-minimize-attributes:nil
+sgml-always-quote-attributes:t
+sgml-indent-step:1
+sgml-indent-data:t
+indent-tabs-mode:nil
+sgml-parent-document:nil
+sgml-default-dtd-file:"../../../../manual.ced"
+sgml-exposed-tags:nil
+sgml-local-catalogs:nil
+sgml-local-ecat-files:nil
+End:
+vim600: syn=xml fen fdm=syntax fdl=2 si
+vim: et tw=78 syn=sgml
+vi: ts=1 sw=1
+-->
--- a/reference/pdo/reference.xml
+++ b/reference/pdo/reference.xml
@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='iso-8859-1'?>
-<!-- $Revision: 1.15 $ -->
+<!-- $Revision: 1.16 $ -->
 <!-- Generated by xml_proto.php v2.1. Found in /scripts directory of phpdoc. -->
 <reference id="ref.pdo">
  <title>PDO Functions</title>
@ -237,6 +237,10 @@ bash# echo extension=pdo.so >> /usr/local/php5/lib/php.ini
        <para><link linkend='function.PDO-query'>query</link> - issues an SQL
        statement and returns a result set</para>
       </listitem>
+       <listitem>
+        <para><link linkend='function.PDO-quote'>quote</link> - returns a
+        quoted version of a string for use in SQL statements</para>
+       </listitem>
       <listitem>
        <para><link linkend='function.PDO-rollBack'>rollBack</link> - roll
         back a transaction</para>