139
PHP And Pdo
See the difference in results below. e first result is quoted; the second is not.
"24" = pdo->quote($userID);
versus
24 = mysql_real_escape_string($userID);
erefore, resulting SQL statements would look like the following when manually
quoted.
Using PDO q uote():
SELECT name, email, id FROM members WHERE id = "24"
Using mysql_real_escape_string():
SELECT name, email, id FROM members WHERE id = 24
As demonstrated elsewhere, the problem with the string returned from mysql_
real_escape_string() is that the string representation of the number 24 is not
quoted. is essentially treats it as a number, when it is not. It is still a string. If it was
an actual integer, it would not need to be quoted.
PDO and WHERE IN Statements
PDO does allow pas ...