Skip site navigation (1) Skip section navigation (2)

Re: problem with serial

From: Raymond O'Donnell <rod(at)iol(dot)ie>
To: Yvon Thoraval <yvon(dot)thoraval(at)gmail(dot)com>
Cc: Chris Angelico <rosuav(at)gmail(dot)com>, pgsql-general(at)postgresql(dot)org
Subject: Re: problem with serial
Date: 2012-04-19 19:33:34
Message-ID: 4F90688E.20804@iol.ie (view raw or flat)
Thread:
Lists: pgsql-general
On 19/04/2012 20:30, Yvon Thoraval wrote:
> 
> 
> 2012/4/19 Raymond O'Donnell <rod(at)iol(dot)ie <mailto:rod(at)iol(dot)ie>>
> 
>     Or better still - and easier - use parametrised queries.
> 
> 
> 
> Right it is easier something like :
> $sql = "categories (idx, ctime, mtime, name) VALUES ( :idx, :ctime,
> :mtime, :name);";
> $prep = $db->prepare($sql);
> $prep->execute( array(':idx' => $_GET['idx'], ':ctime' => $ctime,
> ':mtime' => $mtime, ':name' => $name));
> 
> no more need to $db->quote()  in that case, as :
> $name = $db->quote($name);
> ???
> I mean, even if $name = "L'envers" ? (ie. with a ' in it ?)

Yep - no need to worry about quoting if you use parameters - it's all
done for you. It's also MUCH safer, as it makes SQL injection attacks
much harder (if not impossible).

Ray.

-- 
Raymond O'Donnell :: Galway :: Ireland
rod(at)iol(dot)ie

In response to

Responses

pgsql-general by date

Next:From: Yvon ThoravalDate: 2012-04-19 19:49:53
Subject: Re: problem with serial
Previous:From: Yvon ThoravalDate: 2012-04-19 19:30:46
Subject: Re: problem with serial

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group