To run a text query, use any of the following functions, passing a string-like
object (convertible to
containing valid SQL as the first parameter:
Almost any query that may be issued in the
command line can be executed using this method. This includes
In particular, you may start transactions issuing a
TRANSACTION, commit them using
COMMIT and rolling them back using
At the moment, there is no equivalent to
mysql_real_escape_string to sanitize
user provided input. This limits text queries to queries without parameters.
Doing composition by hand can lead to SQL injection vulnerabilities. Please
use prepared statements instead,
which perform composition server-side in a safe way.
SQL injection warning: if you compose queries by concatenating strings without sanitization, your code is vulnerable to SQL injection attacks. Use prepared statements when possible!
SQL injection warning: do not use this feature if any of your queries contains untrusted input. You can create SQL injection vulnerabilities if you do.
You should generally prefer prepared statements over text queries. Text queries can be useful for simple, non-parametrized queries:
"ROLLBACK" queries, for transactions.
"SET NAMES utf8mb4"
and similar, to set variables for encoding, time zones and similar configuration
"CREATE TABLE ..."
and similar DDL statements.
Avoid text queries involving user input.