Quoting and escaping

Quoting and escaping – Quote values in a suitable format to compose a query.

Description

MDB2 provides a quote() method to quote a value into a DBMS specific format that is suitable to compose query statements. It has four parameters (only the first one is required): the value to be quoted, its datatype, whether or not to quote the value, and whether or not to escape the wildcards in the value. If you don't provide the datatype, it will be guessed from the value.

Doing a query with quoted values

<?php
// Create a valid MDB2 object named $mdb2
// at the beginning of your program...
require_once 'MDB2.php';

$mdb2 =& MDB2::connect('pgsql://usr:pw@localhost/dbnam');
if (
PEAR::isError($mdb2)) {
    die(
$mdb2->getMessage());
}

// some sample values to be inserted
$id 1;
$name 'sample item';
$time date('Y-m-d H:i:s');

// Proceed with a query...
$query 'INSERT INTO tablename (id, itemname, saved_time) VALUES ('
    
$mdb2->quote($id,   'integer')   .', '
    
$mdb2->quote($name'text')      .', '
    
$mdb2->quote($time'timestamp') .')';
$res =& $mdb2->exec($query);
?>

With the third parameter of the quote() you can specify whether or not the above fields should be individually quoted:

Individually choose the values to be quoted

<?php
$query 
'INSERT INTO sometable (textfield1, boolfield2, datefield3) VALUES ('
    
.$mdb2->quote($val1"text"true).', '
    
.$mdb2->quote($val2"boolean"false).', '
    
.$mdb2->quote($val3"date"true).')';
?>

The above example will quote the fields and the resulting SQL will look as such:

INSERT INTO sometable FIELDS (textfield1, boolfield2, datefield3) VALUES ('blah', 1, '2006-02-21')

where the values defined were the values inserted accordingly. You will notice that the "boolfield2" is unquoted as we specified FALSE in the quote() method.

NB: If you use prepared statements, then quoting will be done automatically, you don't need to do it yourself.

Identifiers

You can quote the db identifiers (table and field names) with quoteIdentifier(). The delimiting style depends on which database driver is being used. NOTE: just because you CAN use delimited identifiers, it doesn't mean you SHOULD use them. In general, they end up causing way more problems than they solve. Anyway, it may be necessary when you have a reserved word as a field name (in this case, we suggest you to change it, if you can). Also, don't use quoteIdentifier() if you have a period in the table name itself (which, BTW, is a really bad idea), since it will consider it as a schema.table pair.

Some of the internal MDB2 methods generate queries. Enabling the quote_identifier option of MDB2 you can tell MDB2 to quote the identifiers in these generated queries. For all user supplied queries this option is irrelevant.

Portability is broken by using the following characters inside delimited identifiers:

  • backtick (`) -- due to MySQL

  • double quote (") -- due to Oracle

  • brackets ([ or ]) -- due to Access

Delimited identifiers are known to generally work correctly under the following drivers:

  • mssql

  • mysql

  • mysqli

  • oci8

  • pgsql

  • sqlite

Firebird/InterBase doesn't seem to be able to use delimited identifiers via PHP 4. They work fine under PHP 5.

Quoting options

Within the MDB2 API there are a number of options to set the quoting options, one of which simply quotes the identifiers within the abstraction, the other quotes the field values on insert/update etc. when using the prepared statements methods.

When using the quote_identifier option, all of the field identifiers will be automatically quoted in the resulting SQL statements:

<?php
$mdb2
->setOption('quote_identifier'true);
?>

will result in a SQL statement that all the field names are quoted with the backtick '`' operator (in MySQL).

SELECT * FROM `sometable` WHERE `id` = '123';

as opposed to:

SELECT * FROM sometable WHERE id='123';

Escape

If you want to escape a value, without surrounding it with quotes, you can use the escape() method. If you also want to escape the wildcards (_ and %), set the second parameter to TRUE

If you just want to escape the wildcards in a value, you can use the escapePattern() method.