Differences

This shows you the differences between two versions of the page.

--- v5:reference:connection:addq [2017/04/21 11:50] – external edit 127.0.0.1
+++ v5:reference:connection:addq [2021/01/25 03:00] (current) – mnewnham
@@ Line 6: / Line 6: @@
 == Syntax ==
   string addQ(
-         string $unquoted,
+         string $unquotedText
-         optional bool $dontFixQuotes=false
          )
 </WRAP>
 ==== Description ====
 The function ''addQ()'' takes an input string, and applies database specific string quoting. Unlike the method [[v5:reference:connection:qstr]], no pre or post quoting is applied.
+This method is particularly useful when used with [[v5:userguide:learn_bind:bind_vars|bind variable SQL statement execution]], to produce injection resistant code.
 ------------------------------
@@ Line 20: / Line 21: @@
 $SQL = "SELECT * FROM names WHERE name='$string'";
-$result = $db->Execute($SQL);
+$result = $db->execute($SQL);
 /*
@@ Line 34: / Line 35: @@
 $SQL = "SELECT * FROM names WHERE name='$qString'";
-$result = $db->Execute($SQL);
+$result = $db->execute($SQL);
 /*
- * Execution Succeeds
+ * Execution succeeds
  */
 </code>
+==== Using qStr With Bind ====
+This example shows a completely database independent bind variable statement with special character escaping, providing strong resistance to SQL injection.
+<code php>
+$p1 = $db->param('p1');
+$p2 = $db->param('p2');
+/*
+* Provide internal escaping of ' characters
+*/
+$qStringField = $db->addQ($stringField);
+$bind = array('p1'=>$integerField,
+	      'p2'=>$qStringField);
+$SQL = "SELECT *
+	FROM some_table
+       WHERE integer_field=$p1
+	 AND string_field=$p2";
+$result = $db->execute($SQL,$bind);
+</code>