BestHub
Sign in
Databases 3 min read

Using PDO::quote to Safely Quote Strings in PHP

This article explains how to use PHP's PDO::quote function to safely add quotes to strings for SQL statements, describes its syntax and parameters, and provides two practical code examples demonstrating quoting of normal and potentially dangerous strings.

php中文网 Courses
php中文网 Courses
php中文网 Courses
Using PDO::quote to Safely Quote Strings in PHP

When building SQL statements in PHP, strings often need to be quoted to avoid syntax errors or injection vulnerabilities. The built‑in PDO::quote() method can automatically add appropriate quotes and escape characters.

Syntax of the method is:

<code>public PDO::quote(string $string, int $parameter_type = PDO::PARAM_STR) : string</code>

$string : the string that needs quoting.

$parameter_type : optional driver‑specific hint for the data type, defaulting to PDO::PARAM_STR .

The method returns the quoted string, which can be safely embedded in an SQL query. If the driver does not support quoting, false is returned.

Example 1 – Quoting a normal string

<code>&lt;?php
$servername = "localhost";
$username = "root";
$password = "root123456";
$dbname   = "my_database";

try {
    $pdo = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    echo "连接成功" . "<br>";
    // $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $pdo->setAttribute(PDO::ATTR_CASE, PDO::CASE_UPPER);
    $string = 'Nice';
    print "Unquoted string: $string";
    echo "<br>";
    print "Quoted string: " . $pdo->quote($string) . "\n";
} catch (PDOException $e) {
    echo $e->getMessage();
}
// Output:
// 连接成功
// Unquoted string: Nice
// Quoted string: 'Nice'
?></code>

Example 2 – Quoting a potentially dangerous string

<code>&lt;?php
$servername = "localhost";
$username = "root";
$password = "root123456";
$dbname   = "my_database";

try {
    $pdo = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    echo "连接成功" . "<br>";
    // $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $pdo->setAttribute(PDO::ATTR_CASE, PDO::CASE_UPPER);
    $string = 'Naughty \' string';
    print "Unquoted string: $string";
    echo "<br>";
    print "Quoted string:" . $pdo->quote($string);
} catch (PDOException $e) {
    echo $e->getMessage();
}
// Output:
// 连接成功
// Unquoted string: Naughty ' string
// Quoted string:'Naughty \' string'
?></code>

These examples demonstrate how PDO::quote() can be used to safely prepare strings for inclusion in SQL statements, handling both ordinary and special characters.

SQLDatabasesecurityPHPPDOquote
php中文网 Courses
Written by

php中文网 Courses

php中文网's platform for the latest courses and technical articles, helping PHP learners advance quickly.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment