<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Quotes a string for use in a query.</title>
</head>
<body><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="pdo.query.html">PDO::query</a></div>
<div class="next" style="text-align: right; float: right;"><a href="pdo.rollback.html">PDO::rollBack</a></div>
<div class="up"><a href="class.pdo.html">PDO</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div><hr /><div id="pdo.quote" class="refentry">
<div class="refnamediv">
<h1 class="refname">PDO::quote</h1>
<p class="verinfo">(PHP 5 >= 5.1.0, PECL pdo >= 0.2.1)</p><p class="refpurpose"><span class="refname">PDO::quote</span> — <span class="dc-title">
Quotes a string for use in a query.
</span></p>
</div>
<div class="refsect1 description" id="refsect1-pdo.quote-description">
<h3 class="title">Description</h3>
<div class="methodsynopsis dc-description">
<span class="modifier">public</span> <span class="type">string</span> <span class="methodname"><strong>PDO::quote</strong></span>
( <span class="methodparam"><span class="type">string</span> <code class="parameter">$string</code></span>
[, <span class="methodparam"><span class="type">int</span> <code class="parameter">$parameter_type</code><span class="initializer"> = PDO::PARAM_STR</span></span>
] )</div>
<p class="para rdfs-comment">
<span class="function"><strong>PDO::quote()</strong></span> places quotes around the input string (if
required) and escapes special characters within the input string, using a
quoting style appropriate to the underlying driver.
</p>
<p class="para">
If you are using this function to build SQL statements, you are
<em class="emphasis">strongly</em> recommended to use
<span class="function"><a href="pdo.prepare.html" class="function">PDO::prepare()</a></span> to prepare SQL statements with bound
parameters instead of using <span class="function"><strong>PDO::quote()</strong></span> to interpolate
user input into an SQL statement. Prepared statements with bound parameters
are not only more portable, more convenient, immune to SQL injection, but
are often much faster to execute than interpolated queries, as both the
server and client side can cache a compiled form of the query.
</p>
<p class="para">
Not all PDO drivers implement this method (notably PDO_ODBC). Consider
using prepared statements instead.
</p>
<div class="caution"><strong class="caution">Caution</strong>
<h1 class="title">Security: the default character set</h1>
<p class="para">
The character set must be set either on the server level, or within the
database connection itself (depending on the driver) for it to affect
<span class="methodname"><strong>PDO::quote()</strong></span>. See the <a href="pdo.drivers.html" class="link">driver-specific
documentation</a> for more information.
</p>
</div>
</div>
<div class="refsect1 parameters" id="refsect1-pdo.quote-parameters">
<h3 class="title">Parameters</h3>
<p class="para">
<dl>
<dt>
<span class="term"><em><code class="parameter">string</code></em></span>
<dd>
<p class="para">
The string to be quoted.
</p>
</dd>
</dt>
<dt>
<span class="term"><em><code class="parameter">parameter_type</code></em></span>
<dd>
<p class="para">
Provides a data type hint for drivers that have alternate quoting styles.
</p>
</dd>
</dt>
</dl>
</p>
</div>
<div class="refsect1 returnvalues" id="refsect1-pdo.quote-returnvalues">
<h3 class="title">Return Values</h3>
<p class="para">
Returns a quoted string that is theoretically safe to pass into an
SQL statement. Returns <strong><code>FALSE</code></strong> if the driver does not support quoting in
this way.
</p>
</div>
<div class="refsect1 examples" id="refsect1-pdo.quote-examples">
<h3 class="title">Examples</h3>
<p class="para">
<div class="example" id="example-929">
<p><strong>Example #1 Quoting a normal string</strong></p>
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br />$conn </span><span style="color: #007700">= new </span><span style="color: #0000BB">PDO</span><span style="color: #007700">(</span><span style="color: #DD0000">'sqlite:/home/lynn/music.sql3'</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/* Simple string */<br /></span><span style="color: #0000BB">$string </span><span style="color: #007700">= </span><span style="color: #DD0000">'Nice'</span><span style="color: #007700">;<br />print </span><span style="color: #DD0000">"Unquoted string: </span><span style="color: #0000BB">$string</span><span style="color: #DD0000">\n"</span><span style="color: #007700">;<br />print </span><span style="color: #DD0000">"Quoted string: " </span><span style="color: #007700">. </span><span style="color: #0000BB">$conn</span><span style="color: #007700">-></span><span style="color: #0000BB">quote</span><span style="color: #007700">(</span><span style="color: #0000BB">$string</span><span style="color: #007700">) . </span><span style="color: #DD0000">"\n"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
<div class="example-contents"><p>The above example will output:</p></div>
<div class="example-contents screen">
<div class="cdata"><pre>
Unquoted string: Nice
Quoted string: 'Nice'
</pre></div>
</div>
</div>
<div class="example" id="example-930">
<p><strong>Example #2 Quoting a dangerous string</strong></p>
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br />$conn </span><span style="color: #007700">= new </span><span style="color: #0000BB">PDO</span><span style="color: #007700">(</span><span style="color: #DD0000">'sqlite:/home/lynn/music.sql3'</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/* Dangerous string */<br /></span><span style="color: #0000BB">$string </span><span style="color: #007700">= </span><span style="color: #DD0000">'Naughty \' string'</span><span style="color: #007700">;<br />print </span><span style="color: #DD0000">"Unquoted string: </span><span style="color: #0000BB">$string</span><span style="color: #DD0000">\n"</span><span style="color: #007700">;<br />print </span><span style="color: #DD0000">"Quoted string:" </span><span style="color: #007700">. </span><span style="color: #0000BB">$conn</span><span style="color: #007700">-></span><span style="color: #0000BB">quote</span><span style="color: #007700">(</span><span style="color: #0000BB">$string</span><span style="color: #007700">) . </span><span style="color: #DD0000">"\n"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
<div class="example-contents"><p>The above example will output:</p></div>
<div class="example-contents screen">
<div class="cdata"><pre>
Unquoted string: Naughty ' string
Quoted string: 'Naughty '' string'
</pre></div>
</div>
</div>
<div class="example" id="example-931">
<p><strong>Example #3 Quoting a complex string</strong></p>
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br />$conn </span><span style="color: #007700">= new </span><span style="color: #0000BB">PDO</span><span style="color: #007700">(</span><span style="color: #DD0000">'sqlite:/home/lynn/music.sql3'</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/* Complex string */<br /></span><span style="color: #0000BB">$string </span><span style="color: #007700">= </span><span style="color: #DD0000">"Co'mpl''ex \"st'\"ring"</span><span style="color: #007700">;<br />print </span><span style="color: #DD0000">"Unquoted string: </span><span style="color: #0000BB">$string</span><span style="color: #DD0000">\n"</span><span style="color: #007700">;<br />print </span><span style="color: #DD0000">"Quoted string: " </span><span style="color: #007700">. </span><span style="color: #0000BB">$conn</span><span style="color: #007700">-></span><span style="color: #0000BB">quote</span><span style="color: #007700">(</span><span style="color: #0000BB">$string</span><span style="color: #007700">) . </span><span style="color: #DD0000">"\n"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
<div class="example-contents"><p>The above example will output:</p></div>
<div class="example-contents screen">
<div class="cdata"><pre>
Unquoted string: Co'mpl''ex "st'"ring
Quoted string: 'Co''mpl''''ex "st''"ring'
</pre></div>
</div>
</div>
</p>
</div>
<div class="refsect1 seealso" id="refsect1-pdo.quote-seealso">
<h3 class="title">See Also</h3>
<p class="para">
<ul class="simplelist">
<li class="member"> <span class="function"><a href="pdo.prepare.html" class="function" rel="rdfs-seeAlso">PDO::prepare()</a> - Prepares a statement for execution and returns a statement object</span></li>
<li class="member"> <span class="function"><a href="pdostatement.execute.html" class="function" rel="rdfs-seeAlso">PDOStatement::execute()</a> - Executes a prepared statement</span></li>
</ul>
</p>
</div>
</div><hr /><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="pdo.query.html">PDO::query</a></div>
<div class="next" style="text-align: right; float: right;"><a href="pdo.rollback.html">PDO::rollBack</a></div>
<div class="up"><a href="class.pdo.html">PDO</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div></body></html>
