2

I'm working to integrate a plug-in into a PHP web application, and one line of the code puzzles me:

$sql = "update inventory set qtyleft='$qtyleft',price='$price',sales=sales+'$sales',qtysold=qtysold+'$qtysold' where id='$id'";
mysql_query($sql);

where $qtyleft, $price, $sales, $qtysold and $id are all variables.

I'm not very familiar with PHP, but I always thought string concatenation in PHP is done by using the . operator and it seems to me that the code above is just a long string without actually putting those variables to the SQL query. Is that the case?

Jim
  • 1,695
  • 2
  • 23
  • 42
  • 1
    If it helps you find out more, this is a language feature that's generally called ["string interpolation" or "variable interpolation"](https://en.wikipedia.org/wiki/String_interpolation): http://php.net/manual/en/language.types.string.php#language.types.string.parsing But given that code, I'd use neither. I'd use a non-deprecated mysql library, like mysqli or PDO, and use a parameterised query. That way you won't be potentially open to massive security holes. – Matt Gibson Jan 14 '15 at 10:01
  • And no one is going to reference single quotes against double quotes opt on loss in performance due to the parsing of variables within double quotes? :) – dbf Jan 14 '15 at 10:04
  • 1
    @dbf Well, I [probably wouldn't](https://nikic.github.io/2012/01/09/Disproving-the-Single-Quotes-Performance-Myth.html), personally. – Matt Gibson Jan 14 '15 at 10:05
  • @MattGibson So **microoptimization** is what is called. Well then, dependency on the limitless amount of RAM and the endless expansion of CPU power is not to be used as an argument. Of course, as your linked article points out, you can see everything relatively. I wouldn't personally tell a guy who drives an Agera R that my Fiat Panda is a fast car. – dbf Jan 14 '15 at 10:15
  • @dbf: your Panda can surely go everywhere, though, while the Agera R may have some problems in harder roads. Just saying. – briosheje Jan 14 '15 at 10:19
  • Thanks for all the answers so fast! I marked the first one as answer but I upvoted all valid answers. Also thanks for the comments regarding security and that msql_* is deprecated. That's the reason I'm working on this plugin. – Jim Jan 14 '15 at 10:20
  • @briosheje It drives beautifully on almost every road ;) – dbf Jan 14 '15 at 10:21

4 Answers4

11

In PHP, double quote (") delimited strings will evaluate variables in them.

$foo = 42;
echo "The answer for everything is $foo"; // The answer for everything is 42

This specific example is very bad because you shouldn't include variables directly in an SQL query, and shouldn't use mysql_query in new code.

See more:

Community
  • 1
  • 1
Madara's Ghost
  • 172,118
  • 50
  • 264
  • 308
1

See Variable Parsing section of the Strings manual page.

When a string is specified in double quotes or with heredoc, variables are parsed within it.

If you use single quotes for a string, the variables will not be interpolated. If you use double quotes, they will be.

Josh Harrison
  • 5,927
  • 1
  • 30
  • 44
1

Some call it "variable interpolation". It is explained on the Variable parsing section of the manual page about strings. It helps to read the entire page and also the user comments.

The basic idea is that for strings enclosed in quotes (") and on heredoc blocks, PHP searches for variables inside the string when it needs to use it and replaces them with their values at the moment of the execution. This means the same string can render to different values in different moments of the script's execution.

This is just syntactic sugar, it doesn't change the way the code behaves and any string that contains variables inside can be rewritten using the string concatenation operator (.). Usually this syntax produces shorter source code. Sometimes the code is easier to read this way, other times it is harder because the complex expressions (array access, f.e.) need to be enclosed in curly braces ({ and }) inside the string.

axiac
  • 68,258
  • 9
  • 99
  • 134
1

The code you mentioned will work in PHP without any issues. Please refer PHP Manual for more details.

Other issue that you might need to look forward is the function mysql_query is depreciate. Please refer here. Which gives me a feeling that the plugin you are going to is use not maintained correctly. And one more problem is, its not a good practice to pass the variable directly in the SQL query do to possible security issues

Jose Antony
  • 103
  • 1
  • 7