<markdown>
====================
Security and Binding
====================

With every SQL command you build, you should be certain to quote values using
[[Solar_Sql_Adapter::quote()]], [[Solar_Sql_Adapter::quoteInto()]], or
[[Solar_Sql_Adapter::quoteMulti()]].

> Alterntatively, use
> [[Solar_Sql_Select::HomePage | Solar_Sql_Select]] to build SELECT statements
> and fetch results.

You can build your SELECT commands using named placeholders, and the $data
array will be automatically quoted into the command for you (per the
requirements of your particular database). For example:

{{code: php
    $sql = Solar::factory('Solar_Sql');

    // the command
    $cmd = "SELECT * FROM table WHERE foo = :bar AND zim = :dib";

    // data to bind into named placeholders
    $data = array(
        'bar' => 'double quote"ed',
        'dib' => "single quote'ed",
    );

    // get a PDOStatement result
    $pdoStatement = $sql->query($cmd, $data);

    // the result will be from this statement:
    // SELECT * FROM table WHERE foo = 'double quote\"ed' AND zim = 'single quote\'ed'
}}
</markdown>