Hello all,

I notice that Drupal has an abstraction layer built over the database calls. In other words, db_query is not a native PHP function. I've noticed however that mysql_real_escape_string does not behave as expected. What is the Drupal alternative to this function?

Comments

cburschka’s picture

db_query takes care of all your filtering, using what Java would call a prepared statement. Call it like this:


$result = db_query("SELECT * FROM {table} WHERE id = %d AND name = '%s' AND size = %f", $id, $name, $size);

// or:

$result = db_query("SELECT * FROM {table} WHERE id = %d AND name = '%s' AND size = %f", array($id, $name, $size));

lokisapocalypse’s picture

Excellent. Thanks.