$db->nameQuote('#__test').
" SET ".$db->nameQuote('content')."=".
$db->Quote($data).
" WHERE ". $db->nameQuote('id')."=".$id;
}
Assuming $id=123 and $data="Foo's bar", the value of $query will be:
UPDATE `#__test` SET `content`='Foo\'s bar' WHERE `id`=123
We use nameQuote() to encapsulate a named query element, for example a field, in
quotes. MySQL does not require quotes around named query elements, but it is good
practice to add them because other database servers may require them.
We use Quote() to encapsulate query string values in quotes. Quote() also performs
the getEscaped() method on the data, before encapsulating it; this escapes the data.
Chapter 11
[ 319 ]
In our example we didn't bother to escape data in $id; there are three reasons
why we didn't need to do this. We cast the value of $id to an integer when we
retrieved it from the $_GET hash. We set the default value to 0. We checked it was a
positive value.
Encode XHTML Data
When we want data to appear exactly as it was entered in an XHTML page we need
to encode the data.
Pages:
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437