apostrophe jungle

Question

it is a very simple problem, but I get lost!

instead of this:

'select field1, f2, f3 from obs where id = 2800 order by obs.sort;'

I want this:

'select field1, f2, f3 from obs where id = ' $obsid ' order by obs.sort;'

where $obsid is a variable.

but I get lost in the apostrophe jungle when I try it.

I don't have much experience with sql and my native language is not english. I'd really like to find a place where I can learn about apostrophes in sql-code.

thank you.

regards from Niels

Not only will using parameterised queries *(or prepared statements)* make this less painful, it will protect you from SQL Injection attacks... https://xkcd.com/327/ — MatBailie, Nov 08 '18 at 16:59
https://dev.mysql.com/doc/connector-net/en/connector-net-tutorials-parameters.html — , Nov 08 '18 at 17:08
There shouldn't be any apostrophe jungle in this case, since you don't need quotes around a number. What you're missing are the `.` characters to concatenate strings. `= ' . $obsid . ' order by` — Barmar, Nov 08 '18 at 17:52
I did it like Barmar first suggested. will learn more about the sane way later. I thank you all. — user7733834, Nov 10 '18 at 12:29

score 0 · Answer 1 · answered Nov 08 '18 at 17:39

0

The sane way is:

$stmt = $dbh->prepare('select field1, f2, f3 from obs where id = ? order by obs.sort');
$stmt->execute([$obsid]);

This example is for PHP language and PDO library. Whatever your tech stack is it should have a similar syntax.

answered Nov 08 '18 at 17:39

Álvaro González

142,137
41
261
360

Even saner is to use `:name` parameters instead of `?` – Barmar Nov 08 '18 at 17:51
@Barmar I agree. But when I use them as example I always get the opposite opinion :) – Álvaro González Nov 08 '18 at 17:58

apostrophe jungle

1 Answers1