query()

public function query(string $sql, ?string $return_type = null): mixed

Description

Executes a raw SQL query without parameter binding. This method is for executing SQL statements that don't require external parameter values. Use query_bind() for queries that need parameter binding. The method supports returning results as objects or arrays, or returning null for non-SELECT queries.

Security Warning: This method does NOT use parameter binding. Never pass user input directly into the SQL string. For queries with user input, use query_bind() instead to prevent SQL injection.

Parameters

Parameter Type Description Default Required
sql string The raw SQL query to execute. Must be properly escaped if containing dynamic values. - Yes
return_type string|null Result format: 'object' for objects, 'array' for associative arrays, or null for no return (non-SELECT queries). null No

Return Value

Type Description
mixed
  • Array of objects if $return_type === 'object'
  • Array of associative arrays if $return_type === 'array'
  • null if $return_type is null or doesn't match 'object'/'array'

Example #1: SELECT Query Returning Objects

The code sample below demonstrates executing a SELECT query and returning results as objects.

Example #2: SELECT Query Returning Arrays

The code sample below demonstrates executing a JOIN query and returning results as associative arrays.

Example #3: Non-SELECT Query (No Return)

The code sample below demonstrates executing a data modification query without returning results.

Example #4: Complex Query with Database Functions

The code sample below demonstrates executing a query using database-specific functions.

Important Notes

  • The $sql parameter is required.
  • CRITICAL SECURITY: This method does NOT use parameter binding. Never concatenate user input directly into the SQL string.
  • For queries with dynamic values, use query_bind() instead for security.
  • Returns null for:
    • Non-SELECT queries (INSERT, UPDATE, DELETE, etc.)
    • When $return_type is null
    • When $return_type is not 'object' or 'array'
  • Uses PDO::FETCH_OBJ for object returns (properties match column names).
  • Uses PDO::FETCH_ASSOC for array returns (associative arrays).
  • If debug mode is enabled, the SQL query will be displayed before execution.
  • Use this method only for:
    • Static SQL queries (no user input)
    • Queries using only database literals and functions
    • Administrative operations with trusted data
    • Complex queries that can't use the simpler helper methods
  • Avoid using for:
    • Queries with any user-provided values
    • Form input processing
    • Search queries with user-entered terms
    • URL parameter-based queries