0

In documenation in

Since the table update() method proxies to the database adapter update() method, the second argument can be an array of SQL expressions. The expressions are combined as Boolean terms using an AND operator. Note: The values and identifiers in the SQL expression are not quoted for you. If you have values or identifiers that require quoting, you are responsible for doing this. Use the quote(), quoteInto(), and quoteIdentifier() methods of the database adapter.

But when I checked source update method and I saw something strange (chain of method executing):

  • Zend_Db_Table_Abstract::update()
  • Zend_Db_Adapter_Abstract::update()
  • Zend_Db_Adapter_Abstract::_whereExpr()
  • Zend_Db_Adapter_Abstract::quoteInto()

and in Zend_Db_Adapter_Abstract::quoteInto() there is quoting. Can anybody explain this? Maybe documentation is outdated?

PaulP
  • 1,925
  • 2
  • 20
  • 25

1 Answers1

0

The values are quoted, the note in the documentation refers to the WHERE clause that you pass in, which you need to quote yourself. Typical usage would be:

$table->update(array(
    'name' => $name, // this gets quoted
    'email' => $email // as does this
), $db->quoteInto('id = ?', $id));
Tim Fountain
  • 33,093
  • 5
  • 41
  • 69
  • But $where is also quoted. In _whereExpr() there is quoteInto() method execution. – PaulP Mar 14 '13 at 10:40
  • 1
    Yes, my example above could also be written as `array('id', $id)` which would then get quoted. I think the note is there to tell people they can't just pass in a string like `id = $id`. – Tim Fountain Mar 14 '13 at 10:50
  • 1
    I think instead array('id', $id) should be array('id = ?' => $id). Right? – PaulP Mar 14 '13 at 11:06
  • Thanks. I think the information about not quoting is misleading. In documenation is information about quote* method but there is non about array with '?' notations. – PaulP Mar 14 '13 at 11:34