Home » Php » mysql – PHP quotes in SQL

mysql – PHP quotes in SQL

Posted by: admin February 25, 2020 Leave a comment

Questions:

Why does this code produce an error

  $sql = "INSERT INTO accountlist VALUES ("", "$user", "'$pwd", "$mail", "$date")";

and this one doesn’t?

  $sql = "INSERT INTO accountlist VALUES ('', '$user', '$pwd', '$mail', '$date')";

I know that double quotes process variables while single quotes doesn’t, so the first option should be the right one, but it is the opposite!

How to&Answers:

To answer your question instead of going on tangents about query parameters…

https://www.php.net/manual/en/language.types.string.php explains the mechanics of using quote characters inside quoted strings.

Basically, if your PHP string is delimited by ", then the next " character is the end of the string.

But you might want to use a literal double-quote character inside the string, but not to end the string. To do this, you can put a backslash in front of it like this:

$sql = "INSERT INTO accountlist VALUES (\"\", \"$user\", \"$pwd\", \"$mail\", \"$date\")";

Then the backslashed double-quote characters become part of the string content, not the delimiter for the end of the string.

But single-quote characters inside a double-quoted string won’t cause the same ambiguity, so they don’t need to be backslashed. Therefore the following works without error:

$sql = "INSERT INTO accountlist VALUES ('', '$user', '$pwd', '$mail', '$date')";

The parser can tell that single-quote is not the character it’s looking for to end the double-quoted string. So those single-quotes are parsed as literal characters.

This works the same way in many other programming languages, like Java, C, C++, Ruby, Python, Perl, and even in SQL itself.

This is why some people may sound impatient that you asked this question. It’s a very beginner-level question that indicates that you haven’t done enough reading of programming languages, and you’re expecting the community to give you personalized tutoring for concepts that you should get on your own.

Answer:

Because in the first one you forget to concatenate, causing an error. BUT WAIT….

….you should always use prepared statements, that way you never have to worry about quotes in queries ever again!

In the second query PHP will interpolate variables in single quotes because the whole query is surrounded by double-quotes.

Little Bobby says your script is at risk for SQL Injection Attacks.. Even escaping the string is not safe!

Answer:

What they’re saying is dead-on-the-money … and considerably easier, too!

Your query becomes:

INSERT INTO accountlist VALUES ("", ?, ?, ?, ?)

The ? symbols (which, notice, are not enclosed in quotes) are the parameters.

And now, each time you execute the query, you provide an array with four values in it, to be substituted left-to-right in the statement. Those values can be anything, and you don’t have to care about quote-marks and such, because they are not part of the SQL. Instead, the parameters are inputs.

And if you have to do “a whole lot of this,” say thousands or millions of times, you prepare the statement just once, then execute the prepared statement as many times as necessary, providing a different array of values as inputs each time.

There are also plenty of libraries out there that let you specify parameters by name, giving a hash of named values, e.g.

INSERT INTO accountlist VALUES ("", :user:, :pwd:, :mail:, :date:)

{ 'user' => 'fred', 'pwd' => 'secret', 'mail' => '[email protected]', 'date' => today() }

… and the library turns it into a valid SQL statement like the one shown above.

Much more secure, much less headache, and noticeably more efficient.