Introduction
Quick Start
Basic Concepts
Understanding Routing
Intercepting Requests
Module Fundamentals
Database Operations
Templates
Helpers
Form Handling
Form Validation
Working With Files
Image Manipulation
Working With Dates & Times
Language Control
Security
Executing Raw SQL
Sometimes the built-in helpers aren’t enough.
That’s when you go raw – safely.
The db module gives you two weapons:
- query() – fire-and-forget raw SQL
- query_bind() – raw SQL with proper parameter binding (the one you’ll use 99% of the time)
query_bind() – The Safe Choice
Always prefer this when user input is involved.
Named parameters (cleanest)
Unnamed parameters (? placeholders)
If any part of the query comes from user input → use query_bind() or one of the other database interaction methods. No exceptions.
query() – Only When You’re 100% Sure
Use this only for fully trusted, hard-coded queries (migrations, reporting, complex joins, etc.).
Never do this with user input from the outside world:
Return Types
Both methods accept a $return_type parameter. For query_bind() it's the third argument; for query() it's the second.
'object'→ rows returned as objects (the Trongate default)'array'→ rows returned as associative arrays- omit or
null→ no result set (perfect for INSERT/UPDATE/DELETE)
Debug Mode Works Here Too
Turn on debug mode → both methods dump the fully bound SQL before execution. Lifesaver on hairy queries.
Need raw power or complex table joins? Use query_bind().
Need raw power and you wrote every character yourself? query() is fine.
For everything else, stick to the built-in helpers.
We're continually improving the Trongate documentation. If anything is incorrect, unclear, incomplete, or could be better, we'd genuinely appreciate your input.
Share your thoughts in the Documentation Feedback.