Приглашаем посетить
Биология (bio.niv.ru)

Sending SQL to Firebird

Previous
Table of Contents
Next

Sending SQL to Firebird

ibase_execute()


The function ibase_query() can be used to send an SQL string to the database. However, there is no ibase_escape_string(); so, to be safe from SQL injection, a prepared statement must be used. Here, the function ibase_prepare() comes into play: It parses an SQL statement (with question marks as placeholders) and returns a statement object. Then, ibase_execute() executes this statement and retrieves the values for the placeholders as additional parameters.

Sending SQL to InterBase/Firebird (ibase_execute.php; excerpt)
<?php
  if ($db = ibase_connect('localhost:/tmp/quotes.gdb', 'user',
  'password')) {
    require_once 'stripFormSlashes.inc.php';
    $sql = 'INSERT INTO quotes (id, quote, author,
      qyear) ' . 
      'VALUES (GEN_ID(quotes_gen, 1), ?, ?, ?)';
    $stmt = ibase_prepare($db, $sql);
    ibase_execute($stmt, 
      $_POST['quote'], $_POST['author'], intval
         ($_POST['year']));
    echo 'Quote saved.';
    ibase_close($db);
  } else {
    echo 'Connection failed.';
  }
?>

NOTE

The preceding code contains two specialities of Firebird. First, the identity column is driven by a generator in the database; the call to GEN_ID(quotes_gen, 1) enters the next available value in this column when inserting a new field. Also, the word year is reserved within Firebird, so the column's name is qyear.



Previous
Table of Contents
Next