dbs Tue Aug 30 20:56:36 2005 EDT
Modified files:
/phpdoc/en/reference/pdo/functions PDO-quote.xml
Log:
Emphasize the usefulness of prepared statements vs. quoted input.
http://cvs.php.net/diff.php/phpdoc/en/reference/pdo/functions/PDO-quote.xml?r1=1.2&r2=1.3&ty=u
Index: phpdoc/en/reference/pdo/functions/PDO-quote.xml
diff -u phpdoc/en/reference/pdo/functions/PDO-quote.xml:1.2
phpdoc/en/reference/pdo/functions/PDO-quote.xml:1.3
--- phpdoc/en/reference/pdo/functions/PDO-quote.xml:1.2 Mon Jul 11 00:38:55 2005
+++ phpdoc/en/reference/pdo/functions/PDO-quote.xml Tue Aug 30 20:56:35 2005
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.2 $ -->
+<!-- $Revision: 1.3 $ -->
<!-- Generated by xml_proto.php v2.2. Found in /scripts directory of phpdoc.
-->
<refentry id="function.PDO-quote">
<refnamediv>
@@ -24,9 +24,14 @@
quoting style appropriate to the underlying driver.
</para>
<para>
- If you're using this function to build SQL, it is recommended that you
- using prepared statements and bound parameters instead, as it is not only
- more convenient, but often much faster.
+ If you are using this function to build SQL statements, you are
+ <emphasis>strongly</emphasis> recommended to use
+ <function>PDO::prepare</function> to prepare SQL statements with bound
+ parameters instead of using <function>PDO::quote</function> to interpolate
+ user input into a SQL statement. Prepared statements with bound parameters
+ are not only more portable, more convenient, and vastly more secure, but
+ are often much faster than interpolating user input into slight variations
+ on the same basic SQL statement.
</para>
<para>
Not all PDO drivers implement this method (notably PDO_ODBC). Consider
