1

when I write a query for MySQL, usually use a form like this:

$column= "column_name";
$query = "SELECT * FROM table_name WHERE \"".$column."\"" = \"some_value\" ";

if I want to avoid using the \"". sequence for the variables, can I use this other form or there could be some compatibility issues or some other problem ?

$column= "column_name";
$query = "SELECT * FROM table_name WHERE \"$column\" = \"some_value\";
Billal Begueradj
  • 20,717
  • 43
  • 112
  • 130
webose
  • 195
  • 4
  • 1
    Syntax mistake: You can't have columns AND strings in double quotes for SQL. For MySQL it's valid for the latter, for ANSI SQL double quotes are only meant for identifiers. Most portable: only single quotes for string values, backticks for identifiers. – mario Jan 04 '13 at 00:52
  • I'll check the sql documentation thanks! – webose Jan 07 '13 at 23:35

2 Answers2

4

In both of these cases what you're doing is fine, but a few notes:

1) What you're doing in your first form is using the strings like string literals, which means you can/should use single quotation marks instead of double quotation marks, as they are parsed much faster.

 $column = 'column_name';
 $query = 'SELECT * FROM table_name WHERE ' . $column . ' = "some_value"';

What you're doing in the second example is also fine, it just depends on the reason you're trying to avoid using the escape character, but if you're just doing it for the sake of readability, what you have is fine.

Worth noting is that handling queries the way you're doing here is getting deprecated and you should take a look at PDO and inject your values that way.

Edit Per Comments Above - Removed " from around the column.

DaOgre
  • 2,080
  • 16
  • 25
  • 2
    just want to stress out the note; get rid of mysql_* functions and start using prepared statements (preferably with pdo and not mysqli_* functions). – Luceos Jan 04 '13 at 00:43
  • 1
    "as they are parsed much faster" - try and find a benchmark which proves that. – AD7six Jan 04 '13 at 00:46
  • [About single and double quote](http://stackoverflow.com/questions/3446216/difference-between-single-quote-and-double-quote-string-in-php). – The Alpha Jan 04 '13 at 00:52
  • @AD76 This doesn't need a proof. If you take something as-is, it will always be faster compared to when you have to interpret the content. This said, it will not make a measurable difference in usual programs. – Michel Feldheim Jan 04 '13 at 01:06
  • @AD76 Thought this was interesting: http://www.codeforest.net/php-myth-busters-using-single-quotes-on-string-is-faster-then-double-quotes. Not so much about speed as it is memory however – DaOgre Jan 04 '13 at 01:14
  • Ok as soon as I can I'll try the php PDO, didn't know it was a kind of passepartout for the various sql languages. – webose Jan 07 '13 at 23:40
2

Yes, you can.

  • Strings delimited with double quotes are interpreted by the PHP parser.
  • to make sure, the variable is identified correctly, put it into curly brackets

Example

$variable = 1;

$array = array( 1,2 );

$object = new stdclass();
$object->member = 1;

$string = "You can basically put every kind of PHP variable into the string. This can be a simple variable {$variable}, an array {$array[0]} or an object member {$object->member} even object methods.";

If you want PHP to take the $variable literally without interpretation, put the string into single quotes.

Another method I really like to use for queries is the heredoc notation

$sqlQuery = <<< EOQ
    SELECT 
           "field"
    FROM
           "table"
    WHERE
           "id" = '{$escapedValue}'
EOQ;

One more note:

In SQL you should delimit values with the single quote, and identifiers like table name and field names with double quotes (ANSI compatible) or the back tick ```

Michel Feldheim
  • 17,625
  • 5
  • 60
  • 77