And PDO::quote() does nothing for ODBC, because it currently has no idea what dialect of SQL is spoken by the underlying ODBC driver.
--Wez. On 8/30/05, Dan Scott <[EMAIL PROTECTED]> wrote: > dbs Tue Aug 30 20:56:36 2005 EDT > > Modified files: > /phpdoc/en/reference/pdo/functions PDO-quote.xml > Log: > Emphasize the usefulness of prepared statements vs. quoted input. > > > http://cvs.php.net/diff.php/phpdoc/en/reference/pdo/functions/PDO-quote.xml?r1=1.2&r2=1.3&ty=u > Index: phpdoc/en/reference/pdo/functions/PDO-quote.xml > diff -u phpdoc/en/reference/pdo/functions/PDO-quote.xml:1.2 > phpdoc/en/reference/pdo/functions/PDO-quote.xml:1.3 > --- phpdoc/en/reference/pdo/functions/PDO-quote.xml:1.2 Mon Jul 11 00:38:55 > 2005 > +++ phpdoc/en/reference/pdo/functions/PDO-quote.xml Tue Aug 30 20:56:35 > 2005 > @@ -1,5 +1,5 @@ > <?xml version="1.0" encoding="iso-8859-1"?> > -<!-- $Revision: 1.2 $ --> > +<!-- $Revision: 1.3 $ --> > <!-- Generated by xml_proto.php v2.2. Found in /scripts directory of phpdoc. > --> > <refentry id="function.PDO-quote"> > <refnamediv> > @@ -24,9 +24,14 @@ > quoting style appropriate to the underlying driver. > </para> > <para> > - If you're using this function to build SQL, it is recommended that you > - using prepared statements and bound parameters instead, as it is not only > - more convenient, but often much faster. > + If you are using this function to build SQL statements, you are > + <emphasis>strongly</emphasis> recommended to use > + <function>PDO::prepare</function> to prepare SQL statements with bound > + parameters instead of using <function>PDO::quote</function> to interpolate > + user input into a SQL statement. Prepared statements with bound parameters > + are not only more portable, more convenient, and vastly more secure, but > + are often much faster than interpolating user input into slight variations > + on the same basic SQL statement. > </para> > <para> > Not all PDO drivers implement this method (notably PDO_ODBC). Consider >
