whereString()
The method whereString() is a type-safe variant of where() for string-based columns like
VARCHAR, TEXT, or similar. It ensures that only valid string inputs are accepted and automatically casts non-scalar input to string (if applicable).
Method Signature
public function whereString(string $column, mixed $value, string $operator = '='): selfBasic Usage
This method is used to apply WHERE conditions where the target column is of type VARCHAR, CHAR, or TEXT.
$db->whereString('email', 'john@example.com');
$db->whereString('status', 'active');
$db->whereString('name', 'admin%', 'LIKE');
$db->get('users');Allowed input and validation
The $value is internally cast to string and validated using a heuristic SQL check if enabled.
| Value | Column Type | Behavior |
|---|---|---|
'admin@example.com' |
any | ✅ allowed |
'admin@example.com OR 1=1' |
VARCHAR / TEXT | ⚠️ suspicious, but allowed |
'admin@example.com OR 1=1' |
INT / DATE | ❌ rejected |
'1; DROP TABLE users' |
VARCHAR / TEXT | ⚠️ suspicious, allowed with caution |
'1; DROP TABLE users' |
INT / DATE | ❌ rejected |
Security Note
Even though string values are safely passed via prepared statements, PDOdb adds a heuristic injection check for all WHERE inputs. This protects against classic attack patterns like:
'1; SLEEP(1)''admin' OR '1'='1'
If the column is known to be a string field (e.g. VARCHAR, TEXT), the query proceeds as normal.
For numeric or date columns, these values will be rejected immediately.
define('PDOdb_HEURISTIC_WHERE_CHECK', false);Related Methods
- where() – generic variant for all types
- whereInt()
- whereFloat()
- whereBool()
- whereDate()