| Wez Furlong 2005-08-31, 3:57 am |
| And PDO::quote() does nothing for ODBC, because it currently has no
idea what dialect of SQL is spoken by the underlying ODBC driver.
--Wez.
On 8/30/05, Dan Scott <dbs@php.net> wrote:
> dbs Tue Aug 30 20:56:36 2005 EDT
>=20
> Modified files:
> /phpdoc/en/reference/pdo/functions PDO-quote.xml
> Log:
> Emphasize the usefulness of prepared statements vs. quoted input.
>=20
>=20
> http://cvs.php.net/diff.php/phpdoc/...ns/PDO-quote.x=
ml?r1=3D1.2&r2=3D1.3&ty=3Du
> Index: phpdoc/en/reference/pdo/functions/PDO-quote.xml
> diff -u phpdoc/en/reference/pdo/functions/PDO-quote.xml:1.2 phpdoc/en/ref=
erence/pdo/functions/PDO-quote.xml:1.3
> --- phpdoc/en/reference/pdo/functions/PDO-quote.xml:1.2 Mon Jul 11 00:38:=
55 2005
> +++ phpdoc/en/reference/pdo/functions/PDO-quote.xml Tue Aug 30 20:56:=
35 2005
> @@ -1,5 +1,5 @@
> <?xml version=3D"1.0" encoding=3D"iso-8859-1"?>
> -<!-- $Revision: 1.2 $ -->
> +<!-- $Revision: 1.3 $ -->
> <!-- Generated by xml_proto.php v2.2. Found in /scripts directory of php=
doc. -->
> <refentry id=3D"function.PDO-quote">
> <refnamediv>
> @@ -24,9 +24,14 @@
> quoting style appropriate to the underlying driver.
> </para>
> <para>
> - If you're using this function to build SQL, it is recommended that yo=
u
> - using prepared statements and bound parameters instead, as it is not =
only
> - more convenient, but often much faster.
> + If you are using this function to build SQL statements, you are
> + <emphasis>strongly</emphasis> recommended to use
> + <function>PDO::prepare</function> to prepare SQL statements with boun=
d
> + parameters instead of using <function>PDO::quote</function> to interp=
olate
> + user input into a SQL statement. Prepared statements with bound param=
eters
> + are not only more portable, more convenient, and vastly more secure, =
but
> + are often much faster than interpolating user input into slight varia=
tions
> + on the same basic SQL statement.
> </para>
> <para>
> Not all PDO drivers implement this method (notably PDO_ODBC). Consid=
er
>
|