0

I have this code:

$sql=mysqli_query($dbc, "SELECT * FROM users WHERE user = '".$username."'");

but why so many people do this if

$query = "SELECT type FROM users WHERE user = '$username' ";

works fine too? And if we have multiple values we can just do

$query = "SELECT type FROM users WHERE user = '$username', '$pass' ";

I couldn't find any explanations on this syntax on the internet.

Limpuls
  • 856
  • 1
  • 19
  • 37
  • Because if magic quotes are disabled the latter does not work. – paskl Mar 15 '19 at 23:22
  • 5
    You shouldn't use either method. You should use a prepared statement for queries. – rickdenhaan Mar 15 '19 at 23:24
  • But for other strings, I personally use the concatenation method because I consider the other way to be a bad practice that will lead to unexpected results if I one day decide I prefer my strings to be in single quotes instead of double quotes. – rickdenhaan Mar 15 '19 at 23:26
  • @rickdenhaan so if I had `$username = $_POST['username']` instead of double quotes ` "username" ` the second method may not work if magic quotes are disabled like @paskl said? – Limpuls Mar 15 '19 at 23:30
  • @rickdenhaan Yeah I heard about prepared statement, but I was looking at many old SO answers and that bit of not knowing the difference really bothered me, thus this question. – Limpuls Mar 15 '19 at 23:31
  • 1
    Sidestepping the security/context of your samples. -- Variable interpolation works just fine. Newcomers tend to recommend/overuse concatenation, because of dated tutorials or misguided advises ("less readable code = faster"). – mario Mar 15 '19 at 23:33
  • 1
    No, magic quotes has nothing to do with this and hasn't been a thing [since PHP 5.4.0](http://php.net/manual/en/security.magicquotes.what.php). This is about variable expansion, which PHP always does if a string is [in double quotes or Heredoc format](http://php.net/manual/en/language.types.string.php#language.types.string.parsing). So, `"$username"` will become `"bob"`, but `'$username'` will be the literal string `'$username'` – rickdenhaan Mar 15 '19 at 23:33
  • @rickdenhaan The only question I'm left with then is why do we need dots around `"$username"` ? – Limpuls Mar 15 '19 at 23:38
  • 1
    In your query you are in a string with double quotes, but *inside* that you have single quotes. Those single quotes have no meaning to PHP in that context. So `"WHERE username = '$username'"` works fine. But let's say you're outputting XML where the attribute uses double quotes but the *string itself* uses single quotes: `echo ''`. This wouldn't work, because the string is defined by single quotes and the inner double quotes have no meaning to PHP. To avoid this confusion, I *always* use the concatenation technique. But that's personal preference. – rickdenhaan Mar 15 '19 at 23:43
  • @rickdenhaan Thanks, your last comment made it all clear for me. You should post it as an answer, I will accept it. – Limpuls Mar 15 '19 at 23:48
  • Can't post answers to a closed question, but what I said is pretty much what is also explained in the duplicates @mario found. – rickdenhaan Mar 15 '19 at 23:49

0 Answers0