CODEWITHSUNDEEP
phpescaping
Snake
Snake

Reputation: 319

PHP escaping question

I have just read the following code but do not understand why there is " and also ' used. Thank you!

$sql='SELECT uid,name FROM users WHERE user="'.mysql_real_escape_string($_POST['login_name']).'" AND ..

Upvotes: 2

Views: 138

Answers (7)

Select0r
Select0r

Reputation: 12628

The single quotes surround the SQL-statement ("SELECT..."), the double quote surround the data for the field "user" (though I'd use the quotes the other way around).

The query would look something like this (use single quotes):

SELECT uid FROM users WHERE user='snake'

To assign this query to the variable $sql, you'd have to enclose it in quotes, using double quotes this time, so PHP doesn't assume, the string would end before 'snake':

$sql = "SELECT uid FROM users WHERE user='snake'";

And as you won't always be asking for 'snake' statically, you exchange 'snake' with a dynamic name, exiting/entering the $sql-string by using double quotes again:

$sql = "SELECT uid FROM users WHERE user='" . $dynamic . "'";

If you only wanted one type of quotes, you'd have to escape the quotes that enclose the user-string.

Upvotes: 2

Phill Pafford
Phill Pafford

Reputation: 85308

Looks like the single quotes are used for the PHP code what form the query and the double quotes are use for the query itself

More on Single/Double quotes

you can always echo out the $sql value to see how the Single/Double quotes look before executing the SQL against a DB.

something like:

$sql='SELECT uid,name FROM users WHERE
user="'.mysql_real_escape_string($_POST['login_name']).'";

// Print the SQL
echo $sql."<br />";

Upvotes: 0

Clinton
Clinton

Reputation: 2837

You can use single or double quotes for wrapping strings in php. However, there are differences.

With single quote strings, you cannot inline variables (eg: $a = 'hi $name'), nor can you escape characters (eg: $a = 'hi!\n$name').

Here is a nice summary: http://www.jonlee.ca/php-tidbit-single-quotes-vs-double-quotes/

Also on a side note.. Not sure if double quotes should be used for encasing strings in SQL. I do believe you should use single quotes in most DBs.

Upvotes: 0

gregseth
gregseth

Reputation: 13408

The single quotes are used to define your string in PHP. The double ones delimit your text field (login_name) in your SQL query.

This is done to avoid escaping the quotes of the query, if the same were used.

Upvotes: 0

Quentin
Quentin

Reputation: 943240

This is a PHP program to write an SQL query (and store it in a string).

The target SQL looks like this:

SELECT uid,name FROM users WHERE user="something" AND …

So in PHP terms:

$foo = 'SELECT uid,name FROM users WHERE user="something" AND …'

But you want to replace "something" with dynamic data. In this case the posted login_name — but made safe for MySQL.

$foo = 'SELECT uid,name FROM users WHERE user="' .
       mysql_real_escape_string($_POST['login_name']) .
       '" AND …'

A better approach is to use prepared statements.

Upvotes: 2

RJD22
RJD22

Reputation: 10340

the " will be literally included in the final mysql request so the request send to the mysql database will be:

SELECT uid,name FROM users WHERE user="loginname" AND ..

Upvotes: 0

Filip Ekberg
Filip Ekberg

Reputation: 36287

There shouldn't be.

The "correct" $sql might look like this:

$sql="SELECT uid,name FROM users WHERE user='".mysql_real_escape_string($_POST['login_name'])."';

You use ' in SQL to say it's a string / literal.

I would suggest that you look into prepared statements, i don't trust mysql_real_escape_string nor mysql_very_real_seriously_this_is_the_real_escape_string, that php-syndrome is not to trust .

Upvotes: 3

Related Questions