My Zend Framework 'quoting' mess.
- by tharkun
I've got a probably very simple issue to which I can't find a satisfactory (subjectively seen) answer in the Zend Framework manual or elsewhere...
There are so many ways how I can hand over my php variables to my sql queries that I lost the overview and probably I lack some understanding about quoting in general.
Prepared Statements
$sql = "SELECT this, that
FROM table
WHERE id = ? AND restriction = ?";
$stmt = $this->_db->query($sql, array($myId, $myValue));
$result = $stmt->fetchAll();
I understand that with this solution I don't need to quote anything because the db handles this for me.
Querying Zend_Db_Table and _Row objects over the API
$users = new Users();
a) $users->fetchRow('userID = ' . $userID);
b) $users->fetchRow('userID = ' . $users->getAdapter()->quote($userID, 'INTEGER'));
c) $users->fetchRow('userID = ?', $userID);
d) $users->fetchRow('userID = ?', $users->getAdapter()->quote($userID, 'INTEGER'));
Questions
I understand that a) is not ok because it's not quoted at all. But what about the other versions, what's the best? Is c) being treated like a statement and automatically quoted or do I need to use d) when I use the ? identifier?