2

I don't see any difference using single quote or double quotes. When or why should I use the first instead of the latter?

I've read some where that for SQL I should use singles - why?

1''
  • 26,823
  • 32
  • 143
  • 200
Francesco
  • 24,839
  • 29
  • 105
  • 152
  • Pretty sure the ANSI standard in SQL is single-quote. Looking for a reference – Phil May 04 '11 at 02:45
  • possible duplicate of [What is the difference between single and double quotes in SQL?](http://stackoverflow.com/questions/1992314/what-is-the-difference-between-single-and-double-quotes-in-sql) – OMG Ponies May 04 '11 at 02:45
  • @Phil Brown: ANSI-92 supports double quotes for object names - most databases support double quotes in order to specify non-standard characters. – OMG Ponies May 04 '11 at 02:47
  • @OMGPonies Ah, I assumed the OP was referring to string literals only – Phil May 04 '11 at 02:48
  • @Phil Brown/@OMG Ponies, I'm pretty sure he was referring to string literals because single quotes for object names would result in string literals. Which would not be a similar effect at all. – JStead May 04 '11 at 02:54
  • @JStead: *Ask* the OP, do **not** assume... – OMG Ponies May 04 '11 at 03:12

5 Answers5

6

You should use the combination of single quotes and mysql_real_escape_string or move into PDO.

The mysql_real_escape_string will take care of cleanning any unclean variable you want to store on your database and the single quotes will prevent any execution inside it.

Here is an example:

$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));

PDO's example:

$dbh = new PDO('mysql:dbname=your_database;host=your_host', $user, $password);
$stmt = $dbh->prepare('SELECT * FROM users WHERE user = :username AND password = :password');
$stmt->execute(array('username' => $user, 'password' => $password));

If you are not properly cleanning the data you are about to store you can suffer from SQL Injection.

For example a normal query

SELECT * FROM users WHERE user = 'test'

injected query:

SELECT * FROM users WHERE user = 'anything' OR 'x'='x'

another example:

SELECT * FROM users WHERE user = ' '; DROP TABLE users

More about SQL injection attack: SQL injection prevention, MySQL Injection

Why you should be using php's PDO for database access

Prix
  • 19,417
  • 15
  • 73
  • 132
  • Forget the whole suite of `mysql_*` functions and move to PDO. – Phil May 04 '11 at 03:03
  • @Phil yes PDO is another safe way too. – Prix May 04 '11 at 03:03
  • Also, PHP's MySQL extension prevents multiple query execution so the "Bobby Tables" use-case doesn't usually apply – Phil May 04 '11 at 03:04
  • @Phil that was not a particular example but a more generalized examples of what SQL injection is capable of. In addition I did add 3 links that not only shows but explain more about it being one directly from php.net. Also added a link at the top in regards PDO ;) – Prix May 04 '11 at 03:08
3

If your MySQL server is running with the --ansi flag, then "double" quotes will stop to work. SQL strings must be enclosed in 'single' quotes.

Or more specifically, double quotes actually behave like backticks. They can be used for column names:

SELECT "colum&name", `x&y` FROM "fictional-query"
 WHERE strcolumn = 'text' OR "column&name" = 'string'

The very same would however fail if mysqld is not running in the ansi compliant mode. Only then are double quotes equivalent to single quotes for strings. That's why they should be avoided.

mario
  • 144,265
  • 20
  • 237
  • 291
2

Use whichever is easier or more convenient. If they are all the same to you, then single quote is more portable, at least theory.

If the query is being generated from—for example—PHP, then single quotes are more convenient writing SQL queries since double quotes allow a PHP expression to substitute variables.

$query = "SELECT * FROM $sometable WHERE somefield = '1'";

According to PHP rules, single quotes (had they been used) prevent the expansion of $sometable.

As for theoretical portability, I've used Oracle, MySQL, MS Sql server, SQL Lite, and some home grown flavors, and never had a problem with either quote character.

wallyk
  • 56,922
  • 16
  • 83
  • 148
1

Single quotes are more restrictive in PHP. For example, single quotes will not allow variables to be replaced inside of the string.

$myval = "world";
echo "Hello $myval";   // produces "Hello world"
echo 'Hello $myval';   // produces "Hello $myval"

Also, you would think that, since single-quotes are more strict, they would be more efficient too, but that's not the case. PHP string manipulation performance is a funny (and documented) thing as seen here.

Community
  • 1
  • 1
Garrett Bluma
  • 1,312
  • 10
  • 14
1

Strings enclosed in double quotes are the most commonly used in PHP scripts because they offer the most flexibility. This is because both variables and escape sequences will be parsed accordingly.

Enclosing a string within single quotes is useful when the string should be interpreted exactly as stated. This means that both variables and escape sequences will not be interpreted when the string is parsed.

Double quotes come in handy when you have single quotes in your mysql syntax

$query = "SELECT * FROM tableName WHERE columnName = '{$value}'";
Brett
  • 721
  • 2
  • 10
  • 20