Drupal 7's database layer is awesome, it is built upon PDO and one of the great things about PDO is named placeholders, they allow you to build queries like:
$unsafestring = "this string can contain quotes: ' or other things";
$query = db_select('table')
The SQL that is sent to the database is:
SELECT table.* FROM table WHERE (field = :db_condition_placeholder_0)
This is sent along with the contents of
$unsafestring to replace the
:db_condition_placeholder_0 token. Note that this isn't some lame string replacement, but an actual argument for the SQL statement.
This has some interesting implications for converting...