Using simple and double quotes in an sql query

Question

I have some issue with a sql query using quotes with variables. (In general I use "bind" so I don't have this kind of problem). Here's the query :

$myquery = mysql_query("SELECT * FROM mytable ORDER BY id ASC WHERE var='".$var."'");

The syntax seems not to be correct, can anybody help ?

Answer 1

In general you should use the parameter binding features provided by your DBD (Database Driver for Perl) or other language and driver combination. I gather that you're using PHP (though you should tag your questions accordingly to remove the ambiguity.

Here's a StackOverflow thread on How to bind SQL parameters in PHP (using PDO). Note there are limitations to the PHP PDO::bindParam method as compared to similar features in other languages. So read the linked thread for caveats.

Here's another discussion about Binding Parameters to Statements ... for Perl (but conceptually applicable to other programming languages and their SQL libraries/drivers).

Answer 2

well you can try something like this:

$query = sprintf("SELECT * FROM mytable WHERE var='%s' ORDER BY id ASC",mysql_real_escape_string($var));
$result = mysql_query($query) or die("Error:" . mysql_error());

Also note that ORDER BY is at wrong place. It is more readable and you don't need to bother with single qoute concating. Also it is safe for mysql injection. Hope this helps!

Answer 3

You can use it like

$myquery = mysql_query("SELECT * FROM mytable ORDER BY id ASC WHERE var='$var'");