0

Im a Beginner in PHP learning the basic by watching a video. We in the process of creating a form. I understood everything that is happening except for the below. Can someone please explain to me why he did it like this, rather than ---> id='$_SESSION['user_id']";

id='"'.$_SESSION['user_id']."'";

function getuserfield($field){
$query = "SELECT $field FROM users WHERE id='".$_SESSION['user_id']."'";
$query_run = mysql_query($query);

if($query_run){
    return mysql_result($query_run, 0, $field);
}
}
Fluffeh
  • 33,228
  • 16
  • 67
  • 80
Iamwhoiam
  • 159
  • 3
  • 12
  • 2
    The author chose to do concatenation with the `.` operator instead of variable interpolation. There isn't a great reason to do one or the other - it's mostly a matter of style. Note that `id='$_SESSION['user_id']'` would be a syntax error though inside the double-quoted string. It would need to be `{}` enclosed as `id='{$_SESSION['id']}'` or omit the array key quotes as `[id]` rather than `['id']` The methods of interpolating variables in the double quoted string [are described in the PHP Strings manual](http://php.net/manual/en/language.types.string.php) – Michael Berkowski Dec 26 '14 at 21:10
  • I have to point out though - since you are learning, it is important to begin learning the right way. The `mysql_*()` functions were deprecated last year in PHP 5.5 and should not be used for new code. They will eventually be removed from PHP entirely. Instead, now is the time to begin learning to use PDO with `prepare()/execute()` for prepared statements. [This PDO tutorial for MySQL developers](http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers) places PDO in context of the deprecated `mysql_*()` functions. – Michael Berkowski Dec 26 '14 at 21:12
  • 1
    Have a look at [this reference question](http://stackoverflow.com/questions/5605965/php-concatenate-or-directly-insert-variables-in-string/5605970#5605970) for info on the differences between concatenation and variable interpolation. There are arguments each way. There are also [very tiny speed differences](http://stackoverflow.com/questions/13620/speed-difference-in-using-inline-strings-vs-concatenation-in-php5/13665#13665) which exist, but you should absolutely not concern yourself with. – Michael Berkowski Dec 26 '14 at 21:14
  • Thank you, this was very helpful. The only reason im learning this depreciated method is theres not really good tutorials on how to use the latest ones. So i wanted to get the grasp of it by learning simple MYSQL first. & to answer my question, what you basically said was, putting things like $_SESSION into a variable don't work. So i have to enclose it with {}? @MichaelBerkowski – Iamwhoiam Dec 26 '14 at 21:40
  • Complex things like arrays or objects have special rules for using in a quoted string, and are often just best done with `{}`. I have [an answer here which explains the situation](http://stackoverflow.com/a/13935532/541091) -- what the error message from PHP would be, and how to work around it. – Michael Berkowski Dec 26 '14 at 22:04

1 Answers1

0

There is a lot to say to the insertion of variables into an sql query, but for a beginner just the syntax:

In PHP you can use single quotes or double quotes for strings, but there is no variable substitution inside single quotes.

And in SQL a string must be enclosed in single quotes, the result must be something like WHERE id='asdf'. So in the example WHERE id='".$_SESSION['user_id']."'" there is the single quote after the equal sign, then end of string, then string concatenation, then the variable, string concatenation, start of string,closing single quote - it is correct.

Your id='$_SESSION['user_id']"; has unbalanced single and double quotes.

Much better would be: use something like PDO, prepared statements, and bound variables.

One more remark: in databases the id column is most often an of type integer, this would need a different solution.

Str.
  • 1,389
  • 9
  • 14