(no version information, might be only in CVS)

pg_query_params -- Execute a query, specifying query variables as separate parameters


resource pg_query_params ( string query, array params )

resource pg_query_params ( resource connection, string query, array params )

pg_query_params() works identically to pg_query(), except that instead of putting query parameters directly into the query string, placeholders are used and the parameters are passed in separately. Unlike pg_query(), only one non-empty SQL statement can be executed at a time.

Parameters passed in this way are automatically quoted and escaped if necessary. This is an effective way of improving the security of your scripts and eliminating the need for manual quoting and escaping of parameters.

Placeholders are indicated in the query by $1, $2, $3 and so on. The first parameter will be substituted for $1, the second for $2, the third for $3.


Exemple 1. Using pg_query_params()

// Connect to a database named "mary"
$dbconn = pg_connect("dbname=mary");

// Find all shops named Joe's Widgets.  Note that it is not necessary to
// escape "Joe's Widgets"
$result = pg_query_params($dbconn, 'SELECT * FROM shops WHERE name = $1', array("Joe's Widgets"));

// Compare against just using pg_query
$str = pg_escape_string("Joe's Widgets");
$result = pg_query($dbconn, "SELECT * FROM shops WHERE name = '{$str}'");


Voir aussi