NYCPHP Meetup

[Mikko Rantalainen]

Phil Duffy wrote:
> This is the PEAR-based solution to the question I posed earlier.
> 
>     $personList = & new DataObjects_Person();
>     $lastNamePattern = $input->person->last_name;
>     $lastNamePattern = addslashes($lastNamePattern) . '%';

Is this safe? I thought you were supposed to use
mysql_real_escape_string() with MySQL and pg_escape_string() with 
PostgreSQL and something else with other database engines.

Code that uses DB_DataObject should use following code instead if 
I've understood correctly:

$lastNamePattern = $personList->escape($lastNamePattern) . '%';

Documentation:
http://pear.php.net/manual/en/package.database.db-dataobject.db-dataobject.escape.php

>     $personList->whereAdd("last_name LIKE '$lastNamePattern'");
>     $personList->orderBy('last_name');
>     $result = $personList->find();

Am I the only one wondering if using OO-interface is really LESS 
error prone or EASIER than just writing the SQL queries by myself. 
At least, with interface like this...

-- 
Mikko