The sql_quote()
function is used to secure or filter data content (with apostrophes) in order to avoid SQL injection attacks. This function is very important and must be used whenever content is provided by user data entry. The sql_insertq
, sql_updateq
, and sql_replace
functions automatically apply this filtering for any inserted data (but not for the other parameters like $where
which ought to be filtered nonetheless anyway).
It accepts 3 parameters:
-
$val
is the expression to be filtered, -
$serveur
, -
$type
optional, is the type of value expected. This would equalint
for an integer value.
It is used as shown below:
$charstring = sql_quote("David's car");
$fieldname = sql_quote($fieldname);
sql_select('column', 'table', 'titre=' . sql_quote($titre));
sql_updateq('table', array('column'=>'value'), 'titre=' . sql_quote($titre));
Whenever a numeric identifier is expected, which is often the case for primary keys, the filtering may simply apply the PHP intval()
function (the value zero will be returned if the content passed is not numeric):
$id_table = intval(_request('id_table'));
sql_select('column', 'table', 'id_table=' . intval($id));