<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Quotes a string for use in a query.</title> </head> <body><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="pdo.query.html">PDO::query</a></div> <div class="next" style="text-align: right; float: right;"><a href="pdo.rollback.html">PDO::rollBack</a></div> <div class="up"><a href="class.pdo.html">PDO</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div><hr /><div id="pdo.quote" class="refentry"> <div class="refnamediv"> <h1 class="refname">PDO::quote</h1> <p class="verinfo">(PHP 5 >= 5.1.0, PECL pdo >= 0.2.1)</p><p class="refpurpose"><span class="refname">PDO::quote</span> — <span class="dc-title"> Quotes a string for use in a query. </span></p> </div> <div class="refsect1 description" id="refsect1-pdo.quote-description"> <h3 class="title">Description</h3> <div class="methodsynopsis dc-description"> <span class="modifier">public</span> <span class="type">string</span> <span class="methodname"><strong>PDO::quote</strong></span> ( <span class="methodparam"><span class="type">string</span> <code class="parameter">$string</code></span> [, <span class="methodparam"><span class="type">int</span> <code class="parameter">$parameter_type</code><span class="initializer"> = PDO::PARAM_STR</span></span> ] )</div> <p class="para rdfs-comment"> <span class="function"><strong>PDO::quote()</strong></span> places quotes around the input string (if required) and escapes special characters within the input string, using a quoting style appropriate to the underlying driver. </p> <p class="para"> If you are using this function to build SQL statements, you are <em class="emphasis">strongly</em> recommended to use <span class="function"><a href="pdo.prepare.html" class="function">PDO::prepare()</a></span> to prepare SQL statements with bound parameters instead of using <span class="function"><strong>PDO::quote()</strong></span> to interpolate user input into an SQL statement. Prepared statements with bound parameters are not only more portable, more convenient, immune to SQL injection, but are often much faster to execute than interpolated queries, as both the server and client side can cache a compiled form of the query. </p> <p class="para"> Not all PDO drivers implement this method (notably PDO_ODBC). Consider using prepared statements instead. </p> <div class="caution"><strong class="caution">Caution</strong> <h1 class="title">Security: the default character set</h1> <p class="para"> The character set must be set either on the server level, or within the database connection itself (depending on the driver) for it to affect <span class="methodname"><strong>PDO::quote()</strong></span>. See the <a href="pdo.drivers.html" class="link">driver-specific documentation</a> for more information. </p> </div> </div> <div class="refsect1 parameters" id="refsect1-pdo.quote-parameters"> <h3 class="title">Parameters</h3> <p class="para"> <dl> <dt> <span class="term"><em><code class="parameter">string</code></em></span> <dd> <p class="para"> The string to be quoted. </p> </dd> </dt> <dt> <span class="term"><em><code class="parameter">parameter_type</code></em></span> <dd> <p class="para"> Provides a data type hint for drivers that have alternate quoting styles. </p> </dd> </dt> </dl> </p> </div> <div class="refsect1 returnvalues" id="refsect1-pdo.quote-returnvalues"> <h3 class="title">Return Values</h3> <p class="para"> Returns a quoted string that is theoretically safe to pass into an SQL statement. Returns <strong><code>FALSE</code></strong> if the driver does not support quoting in this way. </p> </div> <div class="refsect1 examples" id="refsect1-pdo.quote-examples"> <h3 class="title">Examples</h3> <p class="para"> <div class="example" id="example-929"> <p><strong>Example #1 Quoting a normal string</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br />$conn </span><span style="color: #007700">= new </span><span style="color: #0000BB">PDO</span><span style="color: #007700">(</span><span style="color: #DD0000">'sqlite:/home/lynn/music.sql3'</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/* Simple string */<br /></span><span style="color: #0000BB">$string </span><span style="color: #007700">= </span><span style="color: #DD0000">'Nice'</span><span style="color: #007700">;<br />print </span><span style="color: #DD0000">"Unquoted string: </span><span style="color: #0000BB">$string</span><span style="color: #DD0000">\n"</span><span style="color: #007700">;<br />print </span><span style="color: #DD0000">"Quoted string: " </span><span style="color: #007700">. </span><span style="color: #0000BB">$conn</span><span style="color: #007700">-></span><span style="color: #0000BB">quote</span><span style="color: #007700">(</span><span style="color: #0000BB">$string</span><span style="color: #007700">) . </span><span style="color: #DD0000">"\n"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> <div class="example-contents"><p>The above example will output:</p></div> <div class="example-contents screen"> <div class="cdata"><pre> Unquoted string: Nice Quoted string: 'Nice' </pre></div> </div> </div> <div class="example" id="example-930"> <p><strong>Example #2 Quoting a dangerous string</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br />$conn </span><span style="color: #007700">= new </span><span style="color: #0000BB">PDO</span><span style="color: #007700">(</span><span style="color: #DD0000">'sqlite:/home/lynn/music.sql3'</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/* Dangerous string */<br /></span><span style="color: #0000BB">$string </span><span style="color: #007700">= </span><span style="color: #DD0000">'Naughty \' string'</span><span style="color: #007700">;<br />print </span><span style="color: #DD0000">"Unquoted string: </span><span style="color: #0000BB">$string</span><span style="color: #DD0000">\n"</span><span style="color: #007700">;<br />print </span><span style="color: #DD0000">"Quoted string:" </span><span style="color: #007700">. </span><span style="color: #0000BB">$conn</span><span style="color: #007700">-></span><span style="color: #0000BB">quote</span><span style="color: #007700">(</span><span style="color: #0000BB">$string</span><span style="color: #007700">) . </span><span style="color: #DD0000">"\n"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> <div class="example-contents"><p>The above example will output:</p></div> <div class="example-contents screen"> <div class="cdata"><pre> Unquoted string: Naughty ' string Quoted string: 'Naughty '' string' </pre></div> </div> </div> <div class="example" id="example-931"> <p><strong>Example #3 Quoting a complex string</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br />$conn </span><span style="color: #007700">= new </span><span style="color: #0000BB">PDO</span><span style="color: #007700">(</span><span style="color: #DD0000">'sqlite:/home/lynn/music.sql3'</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">/* Complex string */<br /></span><span style="color: #0000BB">$string </span><span style="color: #007700">= </span><span style="color: #DD0000">"Co'mpl''ex \"st'\"ring"</span><span style="color: #007700">;<br />print </span><span style="color: #DD0000">"Unquoted string: </span><span style="color: #0000BB">$string</span><span style="color: #DD0000">\n"</span><span style="color: #007700">;<br />print </span><span style="color: #DD0000">"Quoted string: " </span><span style="color: #007700">. </span><span style="color: #0000BB">$conn</span><span style="color: #007700">-></span><span style="color: #0000BB">quote</span><span style="color: #007700">(</span><span style="color: #0000BB">$string</span><span style="color: #007700">) . </span><span style="color: #DD0000">"\n"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> <div class="example-contents"><p>The above example will output:</p></div> <div class="example-contents screen"> <div class="cdata"><pre> Unquoted string: Co'mpl''ex "st'"ring Quoted string: 'Co''mpl''''ex "st''"ring' </pre></div> </div> </div> </p> </div> <div class="refsect1 seealso" id="refsect1-pdo.quote-seealso"> <h3 class="title">See Also</h3> <p class="para"> <ul class="simplelist"> <li class="member"> <span class="function"><a href="pdo.prepare.html" class="function" rel="rdfs-seeAlso">PDO::prepare()</a> - Prepares a statement for execution and returns a statement object</span></li> <li class="member"> <span class="function"><a href="pdostatement.execute.html" class="function" rel="rdfs-seeAlso">PDOStatement::execute()</a> - Executes a prepared statement</span></li> </ul> </p> </div> </div><hr /><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="pdo.query.html">PDO::query</a></div> <div class="next" style="text-align: right; float: right;"><a href="pdo.rollback.html">PDO::rollBack</a></div> <div class="up"><a href="class.pdo.html">PDO</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div></body></html>