PHP.nl

pg_query_params

pg_query_params

Submits a command to the server and waits for the result, with the ability to pass parameters separately from the SQL command text

 **pg_query_params** PgSql\Connection $connection string $query array $params

Submits a command to the server and waits for the result, with the ability to pass parameters separately from the SQL command text.

 is like , 
but offers additional functionality: parameter 
values can be specified separately from the command string proper.

pg_query_params``pg_query

If parameters are used, they are referred to in the
 string as $1, $2, etc. The same parameter may
appear more than once in the ; the same value
will be used in that case.  specifies the
actual values of the parameters. A null value in this array means the
corresponding parameter is SQL .

query``query``params``NULL

The primary advantage of  over  
is that parameter values 
may be separated from the  string, thus avoiding the need for tedious 
and error-prone quoting and escaping. Unlike , 
 allows at 
most one SQL command in the given string. (There can be semicolons in it, 
but not more than one nonempty command.)

pg_query_params``pg_query``query``pg_query``pg_query_params

connection``queryThe parameterized SQL statement. Must contain only a single statement. (multiple statements separated by semi-colons are not allowed.) If any parameters are used, they are referred to as $1, $2, etc.

   User-supplied values should always be passed as parameters, not
   interpolated into the query string, where they form possible
   
   attack vectors and introduce bugs when handling data containing quotes.
   If for some reason you cannot use a parameter, ensure that interpolated
   values are .
  SQL injectionproperly escaped

paramsAn array of parameter values to substitute for the $1, $2, etc. placeholders in the original prepared query string. The number of elements in the array must match the number of placeholders.

   Values intended for  fields are not supported as
   parameters. Use  instead, or use the
   large object functions.
  `bytea``pg_escape_bytea`




An  instance on success, return.falseforfailure.

PgSql\Result

**Voorbeeld: Using **

<?php
// Connect to a database named "mary"
$dbconn = pg_connect("dbname=mary");

// Find all shops named Joe's Widgets.  Note that it is not necessary to
// escape "Joe's Widgets"
$result = pg_query_params($dbconn, 'SELECT * FROM shops WHERE name = $1', array("Joe's Widgets"));

// Compare against just using pg_query
$str = pg_escape_string("Joe's Widgets");
$result = pg_query($dbconn, "SELECT * FROM shops WHERE name = '{$str}'");

?>

pg_query

Vorige ← pg_put_line Volgende pg_query →

Documentatie