the code escapes the whole query. Which doesn't make sense, and would ruin the query if it contained any special characters, like double quotes for identifiers, or single quotes for string.
The escaping is intended to be used for values (string, numeric, etc.) which are inserted into the code. For example:
$value = monetdb_escape_string("This is a 'sentence'.");
$res = monetdb_query($db, "
select
*
from
myTable
where
myValue like '%{$value}%'
limit
10
") or trigger_error(monetdb_last_error());
The code there escapes a whole query, received from a post. If a code executes posted queries, then it is probably a client program, through which the users can execute queries. If you escape those they only get ruined. Just execute the following query with escaped single quotes on the console:
sql>select * from sys.tables where name = \'\';
more>
As you can see the quote became open. Syntax error. Escaping is only for values inserted into single quotes in a query, but not for whole queries.
Hello, on the following line:
https://github.com/MonetDB/monetdb-php/blob/92435e835410c2ae088830c31583e4f3b5519188/examples/query.php#L25
the code escapes the whole query. Which doesn't make sense, and would ruin the query if it contained any special characters, like double quotes for identifiers, or single quotes for string.
The escaping is intended to be used for values (string, numeric, etc.) which are inserted into the code. For example:
The other example is also interesting:
https://github.com/MonetDB/monetdb-php/blob/92435e835410c2ae088830c31583e4f3b5519188/examples/simple_query.php#L27
The code there escapes a whole query, received from a post. If a code executes posted queries, then it is probably a client program, through which the users can execute queries. If you escape those they only get ruined. Just execute the following query with escaped single quotes on the console:
As you can see the quote became open. Syntax error. Escaping is only for values inserted into single quotes in a query, but not for whole queries.