summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2014-05-14 12:32:34 +0200
committerAndrey Andreev <narf@devilix.net>2014-05-14 12:32:34 +0200
commit8c833f4c096a1fa9187c599943159eacb3f7133a (patch)
tree6ac06409543a2f694905c61cd074f90ebbbb0bbb
parent1ffa223bd3d201d00170b3376bdc099ea8f12957 (diff)
[ci skip] Add a note about QB escaping field names
-rw-r--r--user_guide_src/source/database/queries.rst12
1 files changed, 8 insertions, 4 deletions
diff --git a/user_guide_src/source/database/queries.rst b/user_guide_src/source/database/queries.rst
index 11dd78392..5d168c275 100644
--- a/user_guide_src/source/database/queries.rst
+++ b/user_guide_src/source/database/queries.rst
@@ -19,7 +19,7 @@ this::
$query = $this->db->query('YOUR QUERY HERE');
$this->db->simple_query();
-===========================
+==========================
This is a simplified version of the $this->db->query() method. It DOES
NOT return a database result set, nor does it set the query timer, or
@@ -43,9 +43,9 @@ fetchable results.
echo "Query failed!";
}
-.. note:: PostgreSQL's pg_exec() function always returns a resource on
- success, even for write type queries. So take that in mind if
- you're looking for a boolean value.
+.. note:: PostgreSQL's ``pg_exec()`` function (for example) always
+ returns a resource on success, even for write type queries.
+ So take that in mind if you're looking for a boolean value.
***************************************
Working with Database prefixes manually
@@ -76,6 +76,10 @@ identifier you can use::
$this->db->protect_identifiers('table_name');
+.. important:: Although the Query Builder will try its best to properly
+ quote any field and table names that you feed it, note that it
+ is NOT designed to work with arbitrary user input. DO NOT feed it
+ with unsanitized user data.
This function will also add a table prefix to your table, assuming you
have a prefix specified in your database config file. To enable the