Edit

Share via

PDO::quote

  • Article

Download PHP driver

Processes a string for use in a query by placing quotes around the input string as required by the underlying SQL Server database. PDO::quote will escape special characters within the input string using a quoting style appropriate to SQL Server.

Syntax

  
string PDO::quote( $string[, $parameter_type ] )

Parameters

$string: The string to quote.

$parameter_type: An optional (integer) symbol indicating the data type. The default is PDO::PARAM_STR.

New PDO constants were introduced in PHP 7.2 to add support for binding Unicode and non-Unicode strings. Unicode strings can be surrounded with quotes with an N as a prefix (i.e. N'string' instead of 'string').

  1. PDO::PARAM_STR_NATL - a new type for Unicode strings, to be applied as a bitwise-OR to PDO::PARAM_STR
  2. PDO::PARAM_STR_CHAR - a new type for non-Unicode strings, to be applied as a bitwise-OR to PDO::PARAM_STR
  3. PDO::ATTR_DEFAULT_STR_PARAM - set to either PDO::PARAM_STR_NATL or PDO::PARAM_STR_CHAR to indicate a value to bitwise-OR to PDO::PARAM_STR by default

Beginning with version 5.8.0, you can use these constants with PDO::quote.

Return Value

A quoted string that can be passed to a SQL statement, or false if failure.

Remarks

Support for PDO was added in version 2.0 of the Microsoft Drivers for PHP for SQL Server.

String escape example

<?php  
$database = "test";  
$server = "(local)";  
$conn = new PDO( "sqlsrv:server=$server ; Database = $database", "", "");  
  
$param = 'a \' g';  
$param2 = $conn->quote( $param );  
  
$query = "INSERT INTO Table1 VALUES( ?, '1' )";  
$stmt = $conn->prepare( $query );  
$stmt->execute(array($param));  
  
$query = "INSERT INTO Table1 VALUES( ?, ? )";  
$stmt = $conn->prepare( $query );  
$stmt->execute(array($param, $param2));  
?>

PDO quote example

The following script shows a few examples of how extended string types affect PDO::quote() with PHP 7.2+.

<?php
$database = "test";
$server = "(local)";
$db = new PDO("sqlsrv:server=$server; Database=$database", "", "");

$db->quote('über', PDO::PARAM_STR | PDO::PARAM_STR_NATL); // N'über'
$db->quote('foo'); // 'foo'

$db->setAttribute(PDO::ATTR_DEFAULT_STR_PARAM, PDO::PARAM_STR_NATL);
$db->quote('über'); // N'über'
$db->quote('foo', PDO::PARAM_STR | PDO::PARAM_STR_CHAR); // 'foo'
?>

See Also

PDO Class

PDO