(no version information, might be only in CVS)

pg_send_query_params --  Sends asynchronous query, specifying query variables as separate parameters


bool pg_send_query_params ( resource connection, string query, array params )

pg_send_query_params() works identically to pg_send_query(), except that instead of putting query parameters directly into the query string, placeholders are used and the parameters are passed in separately. Unlike pg_send_query(), only one non-empty SQL statement can be executed at a time.

Parameters passed in this way are automatically quoted and escaped if necessary. This is an effective way of improving the security of your scripts and eliminating the need for manual quoting and escaping of parameters.

Placeholders are indicated in the query by $1, $2, $3 and so on. The first parameter will be substituted for $1, the second for $2, the third for $3.


Exemple 1. Using pg_send_query_params()

= pg_connect("dbname=publisher") or die("Could not connect");

// Using parameters.  Note that it is not necessary to quote or escape
  // the parameter.
pg_send_query_params($dbconn, 'select count(*) from authors where city = $1', array('Perth'));
// Compare against basic pg_send_query usage
$str = pg_escape_string('Perth');
pg_send_query($dbconn, "select count(*) from authors where city = '${str}'");

Voir aussi