PDO quote method

Question

Where and when do you use the quote method in PDO? I\'m asking this in the light of the fact that in PDO, all quoting is done by the PDO object therefore no user input shoul

Answer 1

The PDO system does not have (as far as I can find) any mechanism to bind an array variable in PHP into a set in SQL. That's a limitation of SQL prepared statements as well... thus you are left with the task of stitching together your own function for this purpose. For example, you have this:

$a = array(123, 'xyz', 789);

You want to end up with this:

$sql = "SELECT * FROM mytable WHERE item IN (123, 'xyz', 789)";

Using PDO::prepare() does not work because there's no method to bind the array variable $a into the set. You end up needing a loop where you individually quote each item in the array, then glue them together. In which case PDO::quote() is probably better than nothing, at least you get the character set details right.

Would be excellent if PDO supported a cleaner way to handle this. Don't forget, the empty set in SQL is a disgusting special case... which means any function you build for this purpose becomes more complex than you want it to be. Something like PDO::PARAM_SET as an option on the binding, with the individual driver deciding how to handle the empty set. Of course, that's no longer compatible with SQL prepared statements.

Happy if someone knows a way to avoid this difficulty.