BestHub
Sign in
Databases 3 min read

Using PDO::quote to Safely Quote Strings in PHP

This article explains how to use PHP's PDO::quote function to safely add quotes to strings for SQL statements, describes its syntax and parameters, and provides two practical code examples demonstrating quoting of normal and potentially dangerous strings.

php Courses
php Courses
php Courses
Using PDO::quote to Safely Quote Strings in PHP

When building SQL statements in PHP, strings often need to be quoted to avoid syntax errors or injection vulnerabilities. The built‑in PDO::quote() method can automatically add appropriate quotes and escape characters.

Syntax of the method is:

public PDO::quote(string $string, int $parameter_type = PDO::PARAM_STR) : string

$string : the string that needs quoting.

$parameter_type : optional driver‑specific hint for the data type, defaulting to PDO::PARAM_STR.

The method returns the quoted string, which can be safely embedded in an SQL query. If the driver does not support quoting, false is returned.

Example 1 – Quoting a normal string

<?php
$servername = "localhost";
$username = "root";
$password = "root123456";
$dbname   = "my_database";

try {
    $pdo = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    echo "连接成功" . "<br>";
    // $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $pdo->setAttribute(PDO::ATTR_CASE, PDO::CASE_UPPER);
    $string = 'Nice';
    print "Unquoted string: $string";
    echo "<br>";
    print "Quoted string: " . $pdo->quote($string) . "
";
} catch (PDOException $e) {
    echo $e->getMessage();
}
// Output:
// 连接成功
// Unquoted string: Nice
// Quoted string: 'Nice'
?>

Example 2 – Quoting a potentially dangerous string

<?php
$servername = "localhost";
$username = "root";
$password = "root123456";
$dbname   = "my_database";

try {
    $pdo = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    echo "连接成功" . "<br>";
    // $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $pdo->setAttribute(PDO::ATTR_CASE, PDO::CASE_UPPER);
    $string = 'Naughty \' string';
    print "Unquoted string: $string";
    echo "<br>";
    print "Quoted string:" . $pdo->quote($string);
} catch (PDOException $e) {
    echo $e->getMessage();
}
// Output:
// 连接成功
// Unquoted string: Naughty ' string
// Quoted string:'Naughty \' string'
?>

These examples demonstrate how PDO::quote() can be used to safely prepare strings for inclusion in SQL statements, handling both ordinary and special characters.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

securityPDOquote
php Courses
Written by

php Courses

php中文网's platform for the latest courses and technical articles, helping PHP learners advance quickly.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment