Sending SQL to Firebird
The function ibase_query() can be used to send an SQL string to the database. However, there is no ibase_escape_string(); so, to be safe from SQL injection, a prepared statement must be used. Here, the function ibase_prepare() comes into play: It parses an SQL statement (with question marks as placeholders) and returns a statement object. Then, ibase_execute() executes this statement and retrieves the values for the placeholders as additional parameters.
Sending SQL to InterBase/Firebird (ibase_execute.php; excerpt)
<?php
if ($db = ibase_connect('localhost:/tmp/quotes.gdb', 'user',
'password')) {
require_once 'stripFormSlashes.inc.php';
$sql = 'INSERT INTO quotes (id, quote, author,
qyear) ' .
'VALUES (GEN_ID(quotes_gen, 1), ?, ?, ?)';
$stmt = ibase_prepare($db, $sql);
ibase_execute($stmt,
$_POST['quote'], $_POST['author'], intval
($_POST['year']));
echo 'Quote saved.';
ibase_close($db);
} else {
echo 'Connection failed.';
}
?>
The preceding code contains two specialities of Firebird. First, the identity column is driven by a generator in the database; the call to GEN_ID(quotes_gen, 1) enters the next available value in this column when inserting a new field. Also, the word year is reserved within Firebird, so the column's name is qyear. |
|