diff --git a/reference/pdo/functions/PDO-quote.xml b/reference/pdo/functions/PDO-quote.xml new file mode 100644 index 0000000000..39c7adb9d9 --- /dev/null +++ b/reference/pdo/functions/PDO-quote.xml @@ -0,0 +1,177 @@ + + + + + + PDO::quote + + Quotes a string for use in a query. + + + + &reftitle.description; + + stringPDO::quote + stringstring + intparameter_type + + + &warn.experimental.func; + + + PDO::quote places quotes around the input + string and escapes and single quotes within the input string. + Quoting input strings has been a common means of attempting to + prevent SQL injection attacks; however, an even safer approach + is to use prepared statements with named parameters or placeholders + for the input values. + + + Not all PDO drivers implement this method. + + + + &reftitle.parameters; + + + + string + + + The string to be quoted. + + + + + parameter_type + + + Provides a data type hint for drivers that have alternate quoting styles. + The default value is PDO_PARAM_STR. + + + + + + + + &reftitle.returnvalues; + + Returns a quoted string that is theoretically safe to pass into an + SQL statement. + + + + + + + &reftitle.examples; + + + Quoting a normal string + +quote($string) . "\n"; +?> +]]> + + &example.outputs; + + + + + + Quoting a dangerous string + +quote($string) . "\n"; +?> +]]> + + &example.outputs; + + + + + + Quoting a complex string + +quote($string) . "\n"; +?> +]]> + + &example.outputs; + + + + + + + + + &reftitle.seealso; + + + PDO::prepare + PDOStatement::execute + + + + + + + diff --git a/reference/pdo/reference.xml b/reference/pdo/reference.xml index 1ad8a759b3..473420ecad 100644 --- a/reference/pdo/reference.xml +++ b/reference/pdo/reference.xml @@ -1,5 +1,5 @@ - + PDO Functions @@ -237,6 +237,10 @@ bash# echo extension=pdo.so >> /usr/local/php5/lib/php.ini query - issues an SQL statement and returns a result set + + quote - returns a + quoted version of a string for use in SQL statements + rollBack - roll back a transaction