Method __builtin.Sql.Connection()->quote()

Method quote

string quote(string s)

Description

Quote a string s so that it can safely be put in a query.

All input that is used in SQL-querys should be quoted to prevent SQL injections.

Consider this harmfull code:

string my_input = "rob' OR name!='rob";
  string my_query = "DELETE FROM tblUsers WHERE name='"+my_input+"'";
  my_db->query(my_query);

This type of problems can be avoided by quoting my_input. my_input would then probably read something like rob\' OR name!=\'rob

Usually this is done - not by calling quote explicitly - but through using a sprintf like syntax:

string my_input = "rob' OR name!='rob";
  my_db->query("DELETE FROM tblUsers WHERE name=%s", my_input);

The default implementation quotes single quotes by doubling them.