The function ibase_query() can be used to send an SQL string to the database. However, there is no ibase_escape_string(); so, to be safe from SQL injection, a prepared statement must be used. Here, the function ibase_prepare() comes into play: It parses an SQL statement (with question marks as placeholders) and returns a statement object. Then, ibase_execute() executes this statement and retrieves the values for the placeholders as additional parameters. Sending SQL to InterBase/Firebird (ibase_execute.php; excerpt) <?php if ($db = ibase_connect('localhost:/tmp/quotes.gdb', 'user', 'password')) { require_once 'stripFormSlashes.inc.php'; $sql = 'INSERT INTO quotes (id, quote, author, qyear) ' . 'VALUES (GEN_ID(quotes_gen, 1), ?, ?, ?)'; $stmt = ibase_prepare($db, $sql); ibase_execute($stmt, $_POST['quote'], $_POST['author'], intval ($_POST['year'])); echo 'Quote saved.'; ibase_close($db); } else { echo 'Connection failed.'; } ?> NOTE The preceding code contains two specialities of Firebird. First, the identity column is driven by a generator in the database; the call to GEN_ID(quotes_gen, 1) enters the next available value in this column when inserting a new field. Also, the word year is reserved within Firebird, so the column's name is qyear. |
|