Re: PHP Syntax Question



Thomas Mlynarczyk wrote:
Onideus Mad Hatter schrieb:

<removed irrelevant newsgroups>

$username = 'Onideus Mad Hatter';
"SELECT `name` FROM `user_data` WHERE `name` = '$username'"
... becomes
"SELECT `name` FROM `user_data` WHERE `name` = 'Onideus Mad Hatter'"

"SELECT name FROM user_data WHERE name = $username"
... becomes
"SELECT name FROM user_data WHERE name = Onideus Mad Hatter"
And that's just wrong in SQL. Leaving out the backticks is okay here,
but strings must be quoted. If you saw it like this in a tutorial, then
the tutorial is wrong.

It can be that the example in the tutorial was

"SELECT name FROM user_data WHERE user_id = $userid"

This completely valid way, if the column is of types like int and float.

The backticks are really useful if the columns or table names are the same as
reserved words in SQL, like key, order and so on.

--

//Aho
.



Relevant Pages

  • Re: PHP Syntax Question
    ... Leaving out the backticks is okay here, ... Which can show you how to code in php a sql command ?!... ...
    (alt.php)
  • Re: PHP Syntax Question
    ... And that's just wrong in SQL. ... but strings must be quoted. ... The backticks are really useful if the columns or table names are the same as ... Also you can get rid of any issues regarding escaping characters if ...
    (alt.php)
  • Re: SQL Injection with JDBC
    ... fixed SQL instead of building the SQL dynamicly. ... At most, they may have included clauses dynamically, but in my own experience that type of code is very messy to maintain, and one winds up selecting entire query strings based on user input, not building the strings up piecemeal. ... The thing that Arne say "should not be used in real-world projects" is non-parametrized, non-prepared statements where the SQL string is built up entirely in text then executed as such. ... The thing that we recommend is the use of PreparedStatement to embed type-safe parameters into SQL statements that are not subject to such flaws. ...
    (comp.lang.java.programmer)
  • Re: 3vl 2vl and NULL
    ... "strings" specifically are so interesting to you. ... input that can be cast to a numeric type, ... but it is not expected that the DBMS is forcing you to do so. ... It seems you can't accommodate the SQL outcomes because it doesn't have a "shape" that you are comfortable with. ...
    (comp.databases.theory)
  • Re: devd problem with 9-stable
    ... with a notify event. ... of backticks in the action string: ... Trying $instead of backticks makes it worse: ... strings that span multiple lines isn't documented either. ...
    (freebsd-stable)