You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -105,6 +105,34 @@ First argument is the statement, second argument is an array of parameters (opti
105
105
106
106
Note: We passed the query into a variable for later re-use.
107
107
108
+
### Quote
109
+
```php
110
+
$quoted_string = DB::quote($_GET['id']);
111
+
```
112
+
113
+
```php
114
+
# Remove Quotes after quoting, and right before output,
115
+
# giving you a similar string as mysql_real_escape_string
116
+
$quoted_string = DB::quote($_GET['id'], 1);
117
+
```
118
+
119
+
Escaping in PDO adds quotes around the escaped string, which is an issue if you try doing a **LIKE** query:
120
+
121
+
```php
122
+
# Default Quote adds '' quotes around the field, forcing you to do:
123
+
DB::query("SELECT * FROM table WHERE field LIKE ?", ['%'.$input.'%']);
124
+
DB::query("SELECT * FROM table WHERE field LIKE ".DB::quote('%'.$input.'%'));
125
+
126
+
# Removed Quoting, quotes but removes added quotes
127
+
DB::query("SELECT * FROM table WHERE field LIKE '%".DB::quote($input,1)."%'";
128
+
```
129
+
130
+
PDO does not provide a way to turn off quotes around escaped strings so, we created a function that simply removes the quotes (first and last characters).
131
+
This returns a string similar to the old [mysql_real_escape_string](http://php.net/manual/en/function.mysql-real-escape-string.php) function.
132
+
133
+
Please note that this requires you to start adding quotes yourself. Escaping is the default when you bind parameters in PDO.
134
+
As such, escaping is turned on by default as per the original function (passthrough).
135
+
108
136
### Fetch and **Safe Fetch**
109
137
This is regular returned object. You still need to apply htmlspecialchars yourself.
0 commit comments