-1

PHP is not supposed to look within strings between single quotes in contrast with within double quotes. However in my mysqli query string I put variables in the single-quoted list of values and it's working - values are transferred from input form into my mysql in XAMPP. This means it must be peering inside single quotes in order to identify that there's a variable there and substitute values in the mysqli query value section, which shouldn't be the case.

I would have thought only double parentheses containing variables would be substituted into the query but in fact just the opposite - they DID NOT work! I was forced to convert them back to single quotes, which shouldn't work but do.

For example, where all PHP variables in the mysql query values section were defined previously from input html form, the following totally works and inserts form data into my database:

$host = 'localhost';
$user = 'root';
$pw = '';
$db = 'aliensdb';
$dbc = mysqli_connect($host, $user, $pw, $db);
$table = 'alien_abductions';
$query = "INSERT INTO $table (
    first_name, 
    last_name, 
    when_it_happened, 
    how_long, 
    how_many, 
    alien_description, 
    what_they_did, 
    fang_spotted, 
    other, 
    email)
    VALUES (
    '$first_name', 
    '$last_name',
    '$when_it_happened',
    '$how_long',
    '$how_many', 
    '$alien_description', 
    '$what_they_did', 
    '$fang_spotted', 
    '$other', 
    '$email'    
    )";

$result = mysqli_query($dbc, $query) or die('Error querying database.');
mysqli_close($dbc);

That this works and the variables are put into the values successfully inserted as a new row in my database breaks the laws of PHP - or does it? In what cases does PHP violate the 'single parentheses aren't parsed rule' and/or the 'double parentheses are parsed' rule(s)?

Thanks :)

BarbaraRoseNow
  • 41
  • 1
  • 6
  • Because those single quotes are inside double quotes. But don’t ever do this, use parameters. – Sami Kuhmonen Oct 28 '18 at 05:36
  • Delete this "code" and Google on how to use prepared statements with `mysqli()` – Rotimi Oct 28 '18 at 05:39
  • 1
    Possible duplicate of [When to use single quotes, double quotes, and back ticks in MySQL](https://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-back-ticks-in-mysql) – mickmackusa Oct 28 '18 at 05:48
  • Not a duplicate of post / link offered by "mickmackusa" above - does not deal with the issue posed in this question. – BarbaraRoseNow Nov 11 '18 at 15:56

1 Answers1

2

PHP doesn't expand variables inside of (PHP) single-quoted strings. What you have are single quotes inside of a double-quoted string literal, where they are treated no different than any other character.

Also, don't use variable replacement like this for SQL queries. Use prepared statements. You're vulnerable to SQL injection.

Jonathon Reinhart
  • 132,704
  • 33
  • 254
  • 328
  • So PHP doesn't parse nested quotation marks the same way it parses them when not nested, something that is not the case, for example, with parentheses, where parsing is consistent and continues to any depth of nesting. This does appear to break the rule that PHP never looks inside single parentheses, and should be noted in the PHP manual, but at least it's now here for others to find. I spent many hours online and can say that there is no easily found mention of this inconsistency online besides this post now available for others. – BarbaraRoseNow Nov 11 '18 at 15:54