For MySQL, you
would use the function mysql_real_escape_string() and for PostgreSQL, you would use pg_escape_string(). As
we are using Zend_Db, we can use the member function quote() to take care of this issue. The quote() function
will call the correct underlying database specific function and if there isn??™t one, then it will escape the string
using the correct rules for the database involved. Usage is very easy:
$value = $db->quote("It's a kind of magic");
Licensed to Menshu You
Please post comments or corrections to the Author Online forum at
http://www.manning-sandbox.com/forum.jspa?forumID=329
An alternative solution is to use parameterized queries, where variables are denoted by placeholders and
are substituted by the database engine with the correct variable. The Zend_Db provides the quoteInto()
function for this. For example:
$sql = $db->quoteInto('SELECT * FROM table WHERE id = ?', 1);
$result = $db->query($sql);
Higher level interaction with Zend_Db_Table
When considering the model of an MVC application, we don??™t tend to want to work at the level of database
queries if we can help it. The framework provides Zend_Db_Table, a table row gateway pattern that provides a
higher level abstraction for thinking about data from the the database.
Pages:
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75