$username = 'john.doe'; $password = "password' OR 1=1#"; $query = "SELECT * FROM users WHERE username='" . ilUtil::prepareDBString($username) . "' AND password='" . ilUtil::prepareDBString($password) . "';"; // the query becomes: "SELECT * FROM users WHERE username='john.doe' AND password='password\' OR 1=1#';" // the single quote in the password input is escaped with a backslash
$name = "John & Jane Doe"; $description = "This is John's page"; $query = "INSERT INTO pages (name, description) VALUES ('" . ilUtil::prepareDBString($name) . "', '" . ilUtil::prepareDBString($description) . "')"; // the query becomes: "INSERT INTO pages (name, description) VALUES ('John & Jane Doe', 'This is John\'s page')" // the ampersand and the single quote are replaced with their HTML entitiesThis example shows how to use prepareDBString to prevent invalid characters from causing errors when inserting data to a database. The ilUtil package is part of the ILIAS e-learning platform and is not a standalone library.