When you're writing native SQL statements with Doctrine, how are you supposed to escape input? In my experience, mysql_real_escape_string doesn't work.
Asked
Active
Viewed 5,470 times
3
Jason Swett
- 43,526
- 67
- 220
- 351
-
prepared statment in doctrine http://stackoverflow.com/questions/1093428/doctrine-raw-sql-and-prepared-statements – tawfekov Dec 06 '10 at 22:13
-
I know about that already. I'm talking about native SQL statements. – Jason Swett Dec 07 '10 at 14:22
1 Answers
3
When mysql_real_escape_string() is used properly it works great. Parameterized libraries like ADODB and PDO would not work without it. I strongly recommend using PDO.
rook
- 66,304
- 38
- 162
- 239
-
13Since reading this I've discovered that `Doctrine_Manager::connection()` is a PDO instance, so if, for example, you have an instance of that called `$conn`, you can do `$conn->quote($value)`. – Jason Swett Dec 20 '10 at 19:06
-
Beware for the quote function! It does not escape the quotes like mysql_real_escape_string but returns the given data quoted, e.g. you call quote('check') and the return value is 'check' including single quotes. – 4thfloorstudios May 11 '15 at 11:42