| From: | Raymond O'Donnell <rod(at)iol(dot)ie> |
|---|---|
| To: | Yvon Thoraval <yvon(dot)thoraval(at)gmail(dot)com> |
| Cc: | Chris Angelico <rosuav(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: problem with serial |
| Date: | 2012-04-19 19:33:34 |
| Message-ID: | 4F90688E.20804@iol.ie |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On 19/04/2012 20:30, Yvon Thoraval wrote:
>
>
> 2012/4/19 Raymond O'Donnell <rod(at)iol(dot)ie <mailto:rod(at)iol(dot)ie>>
>
> Or better still - and easier - use parametrised queries.
>
>
>
> Right it is easier something like :
> $sql = "categories (idx, ctime, mtime, name) VALUES ( :idx, :ctime,
> :mtime, :name);";
> $prep = $db->prepare($sql);
> $prep->execute( array(':idx' => $_GET['idx'], ':ctime' => $ctime,
> ':mtime' => $mtime, ':name' => $name));
>
> no more need to $db->quote() in that case, as :
> $name = $db->quote($name);
> ???
> I mean, even if $name = "L'envers" ? (ie. with a ' in it ?)
Yep - no need to worry about quoting if you use parameters - it's all
done for you. It's also MUCH safer, as it makes SQL injection attacks
much harder (if not impossible).
Ray.
--
Raymond O'Donnell :: Galway :: Ireland
rod(at)iol(dot)ie
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Yvon Thoraval | 2012-04-19 19:49:53 | Re: problem with serial |
| Previous Message | Yvon Thoraval | 2012-04-19 19:30:46 | Re: problem with serial |