Here is what the docs says:
$result = db::query('SELECT * FROM comments JOIN users ON comment_user = user_id ORDER BY comment_date DESC LIMIT 0,10');
Warning: If you write your own SQL queries, you must make sure that they are protected against SQL injections.
I like to write my “raw” SQL queries, because then I can create more complex queries without boundaries. However, I want to protect these from SQL injections. Is it possible to use the
db::query helper with something similar to how it works below with prepared statements?
$calories = 150; $colour = 'red'; $sth = $dbh->prepare('SELECT name, colour, calories FROM fruit WHERE calories < :calories AND colour = :colour'); $sth->bindParam(':calories', $calories, PDO::PARAM_INT); $sth->bindParam(':colour', $colour, PDO::PARAM_STR, 12); $sth->execute();