-1

I ever see some article that use this { ... } brackets to insert their variable

EX:

$query = $this->pdo->prepare("SELECT * FROM administrator WHERE username = '{$ins}'");

Is it doesn't matter? or what is the difference with this one ?

$query = $this->pdo->prepare("SELECT * FROM administrator WHERE username = '$ins'");

Which is the best way to write the PDO SQL queries?

Burhan Khalid
  • 169,990
  • 18
  • 245
  • 284
Khrisna Gunanasurya
  • 725
  • 10
  • 36
  • 1
    possible duplicate of [Curly braces in string in PHP](http://stackoverflow.com/questions/2596837/curly-braces-in-string-in-php) – bruchowski Oct 13 '14 at 04:54
  • I'm sorry but can you explain it to me? because it's still confusing me when it uses to PDO SQL, it is for SQL Injection? or maybe something else? – Khrisna Gunanasurya Oct 13 '14 at 04:58
  • In this particular use case I see no reason to use bracket notation, they will both evaluate to the same thing.. but for example with bracket notation you could do `{$foo->$bar}`.. [see here for more info](http://php.net/manual/en/language.types.string.php#language.types.string.parsing), besides you should use bound parameters anyway – bruchowski Oct 13 '14 at 05:08
  • @KhrisnaGunanasurya [no, its not for injection, you should use prepared statements for SQL injection](http://www.phptherightway.com/#databases) – Prix Oct 13 '14 at 05:08
  • 1
    None of them. Read, please, this: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – sectus Oct 13 '14 at 08:21

1 Answers1

1

Neither.

Your SQL code should never contain variable input. You should use parameter binding.

$query = $this->pdo->prepare('SELECT * FROM administrator WHERE username = ?');
$query->execute([$ins]);

To be safe I recommend using single quotes ' ', because string interpolation works only with double quotes.

There might be situations when you would like to use a PHP constant as part of the SQL. In this case you can use simple concatenation. 

define('ADMIN_TABLE', 'administrator');
$query = $this->pdo->prepare('SELECT * FROM '.ADMIN_TABLE.' WHERE username = ?');
$query->execute([$ins]);
Dharman
  • 30,962
  • 25
  • 85
  • 135