<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Submits a command to the server and waits for the result, with the ability to pass parameters separately from the SQL command text.</title>
</head>
<body><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="function.pg-put-line.html">pg_put_line</a></div>
<div class="next" style="text-align: right; float: right;"><a href="function.pg-query.html">pg_query</a></div>
<div class="up"><a href="ref.pgsql.html">PostgreSQL Functions</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div><hr /><div id="function.pg-query-params" class="refentry">
<div class="refnamediv">
<h1 class="refname">pg_query_params</h1>
<p class="verinfo">(PHP 5 >= 5.1.0)</p><p class="refpurpose"><span class="refname">pg_query_params</span> — <span class="dc-title">Submits a command to the server and waits for the result, with the ability to pass parameters separately from the SQL command text.</span></p>
</div>
<div class="refsect1 description" id="refsect1-function.pg-query-params-description">
<h3 class="title">Description</h3>
<div class="methodsynopsis dc-description">
<span class="type">resource</span> <span class="methodname"><strong>pg_query_params</strong></span>
([ <span class="methodparam"><span class="type">resource</span> <code class="parameter">$connection</code></span>
], <span class="methodparam"><span class="type">string</span> <code class="parameter">$query</code></span>
, <span class="methodparam"><span class="type">array</span> <code class="parameter">$params</code></span>
)</div>
<p class="para rdfs-comment">
Submits a command to the server and waits for the result, with the ability
to pass parameters separately from the SQL command text.
</p>
<p class="para">
<span class="function"><strong>pg_query_params()</strong></span> is like <span class="function"><a href="function.pg-query.html" class="function">pg_query()</a></span>,
but offers additional functionality: parameter
values can be specified separately from the command string proper.
<span class="function"><strong>pg_query_params()</strong></span> is supported only against PostgreSQL 7.4 or
higher connections; it will fail when using earlier versions.
</p>
<p class="para">
If parameters are used, they are referred to in the
<em><code class="parameter">query</code></em> string as $1, $2, etc. The same parameter may
appear more than once in the <em><code class="parameter">query</code></em>; the same value
will be used in that case. <em><code class="parameter">params</code></em> specifies the
actual values of the parameters. A <strong><code>NULL</code></strong> value in this array means the
corresponding parameter is SQL <em>NULL</em>.
</p>
<p class="para">
The primary advantage of <span class="function"><strong>pg_query_params()</strong></span> over <span class="function"><a href="function.pg-query.html" class="function">pg_query()</a></span>
is that parameter values
may be separated from the <em><code class="parameter">query</code></em> string, thus avoiding the need for tedious
and error-prone quoting and escaping. Unlike <span class="function"><a href="function.pg-query.html" class="function">pg_query()</a></span>,
<span class="function"><strong>pg_query_params()</strong></span> allows at
most one SQL command in the given string. (There can be semicolons in it,
but not more than one nonempty command.)
</p>
</div>
<div class="refsect1 parameters" id="refsect1-function.pg-query-params-parameters">
<h3 class="title">Parameters</h3>
<p class="para">
<dl>
<dt>
<span class="term"><em><code class="parameter">connection</code></em></span>
<dd>
<p class="para">
PostgreSQL database connection resource. When
<em><code class="parameter">connection</code></em> is not present, the default connection
is used. The default connection is the last connection made by
<span class="function"><a href="function.pg-connect.html" class="function">pg_connect()</a></span> or <span class="function"><a href="function.pg-pconnect.html" class="function">pg_pconnect()</a></span>.
</p>
</dd>
</dt>
<dt>
<span class="term"><em><code class="parameter">query</code></em></span>
<dd>
<p class="para">
The parameterized SQL statement. Must contain only a single statement.
(multiple statements separated by semi-colons are not allowed.) If any parameters
are used, they are referred to as $1, $2, etc.
</p>
<p class="para">
User-supplied values should always be passed as parameters, not
interpolated into the query string, where they form possible
<a href="security.database.sql-injection.html" class="link"> SQL injection</a>
attack vectors and introduce bugs when handling data containing quotes.
If for some reason you cannot use a parameter, ensure that interpolated
values are <a href="function.pg-escape-string.html" class="link">properly escaped</a>.
</p>
</dd>
</dt>
<dt>
<span class="term"><em><code class="parameter">params</code></em></span>
<dd>
<p class="para">
An array of parameter values to substitute for the $1, $2, etc. placeholders
in the original prepared query string. The number of elements in the array
must match the number of placeholders.
</p>
<p class="para">
Values intended for <em>bytea</em> fields are not supported as
parameters. Use <span class="function"><a href="function.pg-escape-bytea.html" class="function">pg_escape_bytea()</a></span> instead, or use the
large object functions.
</p>
</dd>
</dt>
</dl>
</p>
</div>
<div class="refsect1 returnvalues" id="refsect1-function.pg-query-params-returnvalues">
<h3 class="title">Return Values</h3>
<p class="para">
A query result resource on success or <strong><code>FALSE</code></strong> on failure.</p>
</div>
<div class="refsect1 examples" id="refsect1-function.pg-query-params-examples">
<h3 class="title">Examples</h3>
<p class="para">
<div class="example" id="example-2109">
<p><strong>Example #1 Using <span class="function"><strong>pg_query_params()</strong></span></strong></p>
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br /></span><span style="color: #FF8000">// Connect to a database named "mary"<br /></span><span style="color: #0000BB">$dbconn </span><span style="color: #007700">= </span><span style="color: #0000BB">pg_connect</span><span style="color: #007700">(</span><span style="color: #DD0000">"dbname=mary"</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">// Find all shops named Joe's Widgets. Note that it is not necessary to<br />// escape "Joe's Widgets"<br /></span><span style="color: #0000BB">$result </span><span style="color: #007700">= </span><span style="color: #0000BB">pg_query_params</span><span style="color: #007700">(</span><span style="color: #0000BB">$dbconn</span><span style="color: #007700">, </span><span style="color: #DD0000">'SELECT * FROM shops WHERE name = $1'</span><span style="color: #007700">, array(</span><span style="color: #DD0000">"Joe's Widgets"</span><span style="color: #007700">));<br /><br /></span><span style="color: #FF8000">// Compare against just using pg_query<br /></span><span style="color: #0000BB">$str </span><span style="color: #007700">= </span><span style="color: #0000BB">pg_escape_string</span><span style="color: #007700">(</span><span style="color: #DD0000">"Joe's Widgets"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">$result </span><span style="color: #007700">= </span><span style="color: #0000BB">pg_query</span><span style="color: #007700">(</span><span style="color: #0000BB">$dbconn</span><span style="color: #007700">, </span><span style="color: #DD0000">"SELECT * FROM shops WHERE name = '</span><span style="color: #007700">{</span><span style="color: #0000BB">$str</span><span style="color: #007700">}</span><span style="color: #DD0000">'"</span><span style="color: #007700">);<br /><br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
</div>
</p>
</div>
<div class="refsect1 seealso" id="refsect1-function.pg-query-params-seealso">
<h3 class="title">See Also</h3>
<p class="para">
<ul class="simplelist">
<li class="member"> <span class="function"><a href="function.pg-query.html" class="function" rel="rdfs-seeAlso">pg_query()</a> - Execute a query</span></li>
</ul>
</p>
</div>
</div><hr /><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="function.pg-put-line.html">pg_put_line</a></div>
<div class="next" style="text-align: right; float: right;"><a href="function.pg-query.html">pg_query</a></div>
<div class="up"><a href="ref.pgsql.html">PostgreSQL Functions</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div></body></html>
