Method Sql.Sql()->quote()
- Method
quote
string
quote(string
s
)- Description
Quote a string
s
so that it can safely be put in a query.All input that is used in SQL-querys should be quoted to prevent SQL injections.
Consider this harmfull code:
string my_input = "rob' OR name!='rob"; string my_query = "DELETE FROM tblUsers WHERE name='"+my_input+"'"; my_db->query(my_query);
This type of problems can be avoided by quoting my_input. my_input would then probably read something like rob\' OR name!=\'rob
Usually this is done - not by calling quote explicitly - but through using a sprintf like syntax
string my_input = "rob' OR name!='rob"; my_db->query("DELETE FROM tblUsers WHERE name=%s",my_input);