Quote:
Originally Posted by Tekerson
The other option is to use bound parameters by passing the second parameter to query(). So you don't even need quoteInto(). Like this:
Code:
...
$sql = 'SELECT g.GalleryName, e.EventName
...
WHERE g.Type = :gType AND g.GalleryID = :gGalleryId';
$query = $db->query($sql, array(
'gType' => $gType,
'gGalleryId' => $gGalleryId,
));
You can have as many bound parameters as you want, unfortunately you can't use the same one multiple times in the query (unless that's changed since last I looked). |
Thanks but then i am not quoting any of those values! Doesnt that open me to sql injection attacks?