Re: [PHP-DOC] cvs: phpdoc /en/reference/pdo/functions PDO-quote.xml

Wed, 31 Aug 2005 04:27:56 -0700

Yup -- that's the part that currently reads "Not all PDO drivers implement this method (notably PDO_ODBC). Consider using prepared statements instead."

I suppose I could say why PDO_ODBC does not implement it, and never will, to try and reduce the number of user notes.

Dan

On 8/30/05, Wez Furlong <[EMAIL PROTECTED]> wrote:
And PDO::quote() does nothing for ODBC, because it currently has no
idea what dialect of SQL is spoken by the underlying ODBC driver.

--Wez.

On 8/30/05, Dan Scott <[EMAIL PROTECTED] > wrote:
> dbs             Tue Aug 30 20:56:36 2005 EDT
>
>   Modified files:
>     /phpdoc/en/reference/pdo/functions  PDO-quote.xml
>   Log:
>   Emphasize the usefulness of prepared statements vs. quoted input.
>
>
> http://cvs.php.net/diff.php/phpdoc/en/reference/pdo/functions/PDO-quote.xml?r1=1.2&r2=1.3&ty=u
> Index: phpdoc/en/reference/pdo/functions/PDO-quote.xml
> diff -u phpdoc/en/reference/pdo/functions/PDO-quote.xml:1.2 phpdoc/en/reference/pdo/functions/PDO-quote.xml:1.3
> --- phpdoc/en/reference/pdo/functions/PDO- quote.xml:1.2 Mon Jul 11 00:38:55 2005
> +++ phpdoc/en/reference/pdo/functions/PDO-quote.xml     Tue Aug 30 20:56:35 2005
> @@ -1,5 +1,5 @@
>  <?xml version="1.0" encoding="iso-8859-1"?>
> -<!-- $Revision: 1.2 $ -->
> +<!-- $Revision: 1.3 $ -->
>  <!-- Generated by xml_proto.php v2.2. Found in /scripts directory of phpdoc. -->
>  <refentry id="function.PDO-quote ">
>   <refnamediv>
> @@ -24,9 +24,14 @@
>     quoting style appropriate to the underlying driver.
>    </para>
>    <para>
> -   If you're using this function to build SQL, it is recommended that you
> -   using prepared statements and bound parameters instead, as it is not only
> -   more convenient, but often much faster.
> +   If you are using this function to build SQL statements, you are
> +   <emphasis>strongly</emphasis> recommended to use
> +   <function>PDO::prepare</function> to prepare SQL statements with bound
> +   parameters instead of using <function>PDO::quote</function> to interpolate
> +   user input into a SQL statement. Prepared statements with bound parameters
> +   are not only more portable, more convenient, and vastly more secure, but
> +   are often much faster than interpolating user input into slight variations
> +   on the same basic SQL statement.
>    </para>
>    <para>
>     Not all PDO drivers implement this method (notably PDO_ODBC).  Consider
>

Reply via email to