Method: PG::Connection#escape_string

Defined in:
ext/pg_connection.c

#escape_string(str) ⇒ String Also known as: escape

Returns a SQL-safe version of the String str. This is the preferred way to make strings safe for inclusion in SQL queries.

Consider using exec_params, which avoids the need for passing values inside of SQL commands.

Character encoding of escaped string will be equal to client encoding of connection.

NOTE: This class version of this method can only be used safely in client programs that use a single PostgreSQL connection at a time (in this case it can find out what it needs to know “behind the scenes”). It might give the wrong results if used in programs that use multiple database connections; use the same method on the connection object in such cases.

See also convenience functions #escape_literal and #escape_identifier which also add proper quotes around the string.

Returns:

  • (String) 


1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
 
# File 'ext/pg_connection.c', line 1678

static VALUE
pgconn_s_escape(VALUE self, VALUE string)
{
	size_t size;
	int error;
	VALUE result;
	int enc_idx;
	int singleton = !rb_obj_is_kind_of(self, rb_cPGconn);

	StringValueCStr(string);
	enc_idx = singleton ? ENCODING_GET(string) : pg_get_connection(self)->enc_idx;
	if( ENCODING_GET(string) != enc_idx ){
		string = rb_str_export_to_enc(string, rb_enc_from_index(enc_idx));
	}

	result = rb_str_new(NULL, RSTRING_LEN(string) * 2 + 1);
	PG_ENCODING_SET_NOCHECK(result, enc_idx);
	if( !singleton ) {
		size = PQescapeStringConn(pg_get_pgconn(self), RSTRING_PTR(result),
			RSTRING_PTR(string), RSTRING_LEN(string), &error);
		if(error)
			pg_raise_conn_error( rb_ePGerror, self, "%s", PQerrorMessage(pg_get_pgconn(self)));

	} else {
		size = PQescapeString(RSTRING_PTR(result), RSTRING_PTR(string), RSTRING_LEN(string));
	}
	rb_str_set_len(result, size);

	return result;
}