PHP: different quotes?

Question

What is the difference between the quotes " and ' ? What about `? Is there an error in using different quotes ' and " below?

 $result = pg_query_params($dbconn,
      'INSERT INTO users 
      (username, email, passhash_md5)
      VALUES ($1, $2, $3)',
          array($username, $email, $passhash_md5
      )


      $result = pg_query_params( $dbconn,
          "SELECT user_id
           FROM users
          WHERE email = $1",
          array( $email )
          )

score 20 · Accepted Answer · answered Aug 23 '09 at 08:12

20

Variable-substitution isn't done when using single quotes ('), meaning that the values in your first example would literally be $1 $2 etc if it was a regular string and not passed on to a function that replaces them.

If you don't need variable-substitiution, it's better to stick with single quotes for performance reasons.

`` invokes the shell-engine and invokes it as an actual command, and returning the result, just like in perl. Hence, it has a completely different meaning.

examples:

$email = 'user@example.org';
$sql1 = "SELECT user_id FROM users WHERE email = $email";
$sql2 = 'SELECT user_id FROM users WHERE email = $email';

$sql1 would be SELECT user_id FROM users WHERE email = user@example.org

$sql2 would be SELECT user_id FROM users WHERE email = $email

answered Aug 23 '09 at 08:12

jishi

24,126
6
49
75

5

Escapes to control chars, like \n and \t are not expanded in single quote strings, too. – PhiLho Aug 23 '09 at 08:37
1

Strings like `$sql1` always make me cringe. If you _really_ want to include a variable in it, using `{$email}` always gets my preference. My usual approach: `"WHERE email = ".$email`, wich makes it absolutely clear that it is NOT to be taken literally. – JorenB Aug 23 '09 at 08:53
1

Of course none of those ways are safe against SQL injection, whatever you call the variable! The OP has it right, using $1 et al to pg_query_params in single quotes; no variable-substitution is actually occurring here. The ‘$1’ syntax is perhaps a little misleading... other query parameterisation systems just use ‘?’. – bobince Aug 23 '09 at 09:19
4

PHP tokenizes input text using a state machine ([like this](http://gcov.php.net/PHP_5_3/lcov_html/var/php_gcov/PHP_5_3/Zend/zend_language_parser.c.gcov.php)), so **there is absolutely no performance difference between single and double quotes** when you don't use variable interpolation. Also, it's not cool to show example code that has serious security holes in it. – Kornel Dec 19 '11 at 20:19

score 3 · Answer 2 · edited Nov 13 '11 at 16:57

Basically, " lets you embed variables like so:

<?php
$beer = 'Heineken';
echo "$beer's taste is great"; // works; "'" is an invalid character for variable names
echo "He drank some $beers";   // won't work; 's' is a valid character for variable names but the variable is "$beer"
echo "He drank some ${beer}s"; // works
echo "He drank some {$beer}s"; // works
?>

(From the php manual)

Using ' means that no checking for variables is done.

<?php
echo '$beer';
?>

Would output $beer.

Greg Hewgill · Answer 3 · 2009-08-23T08:15:04.833

2

The difference between single and double quoted strings is well explained in the PHP manual about Strings.

In your example, since you are using substitution variables such as $1 that mean something specific to pg_query_params and that you do not want PHP to interpret as variable names, you should use single quotes for your SQL query strings.

edited Aug 23 '09 at 08:15

answered Aug 23 '09 at 08:09

Greg Hewgill

951,095
183
1,149
1,285

PHP: different quotes?

3 Answers3

Linked

Related