6 replies to this topic

[alrazy1]

hi,
i have a question please , i see in some php scripts when they reference a mysql table for adding or modifying or deleting or selecting and also when they create a table ,
i see each time they use different slashes some times they use this slash ` somtimes the double quotes " sometimes the single quote ' ?
please advice me when and how and why they use different slashes and quotes and can you give me examples for all the possibilities ?
thank you.

[ghost_x47]

` uses for base specific parameters such as tablename, fieldname. You can't use ` char to data.
For example SELECT `table`.`id`,`table`.`name` FROM `table` WHERE `table`.`id`='1' but you can't write SELECT `table`.`id`,`table`.`name` FROM `table` WHERE `table`.`id`=`1` it will totally screw up this query.
You can write without ` , but better not. for example if you dynamically loads a tablename in query - if you put it inside `` then any syntax will cause an error if some try to put sql command in there. And protect your db.

' uses when gives data ,values to sql query.Double quotes can be used as well.(For example you can use doblequotes to insert a singlequote value.)

btw it's simple, but for better understanding, try to read docs for sql.

[Alexander]

Back tick is an optional MySQL feature (`) to denote table names, which can contain spaces (SELECT foo FROM `table with spaces`)

Single quotes may denote strings within MySQL (SELECT foo FROM `table` WHERE name = 'John'

Double quotes just surround the query nicely, $query = "SELECT this FROM `table` WHERE name = 'john'";

[sam_l]

Use back ticks, use single quotes, and capitalize the commands to create an easily readable statement.

[alrazy1]

1)Q for Alexander : i should also use single quote to wrap a numeric value like INT value for example primary key or its only for strings?
2)how i should treat numeric values then ?
3)Q for ghost x47 : i didnt understand well why you say i better always use back ticks for table and fields names ?
thank you all for the help

[ghost_x47]

Well, my english is very bad) So i apologize for that.
well, suggest that you have an object which have different fields for example.
$object with fields ('id','name','cvalue')
So you want to translate this object to database, and cause you don't know the names of fields before looking at actual object - you can't predefine fields in query.
so you need to paste fieldnames into a query from an object.

If hacker tries to put in select instead of 'id' something like 'id (select * FROM administrators)' - it won't work.
Some kind of last defence line from injections is to use data escaping and back ticks on table names.
Of course if you 100% sure - this defence line will never being reached, than you can write without backticks.
Or use some kind of orm.
And two more pluses that was mentioned by Alexander and sam_I -
1.You can use tables with spaces (but probably won't)
2.This makes code a little more readable.

[Alexander]

alrazy1 said:

1)Q for Alexander : i should also use single quote to wrap a numeric value like INT value for example primary key or its only for strings?
2)how i should treat numeric values then ?

Numeric values need not anything around them, they can be treated as is. For example: "INSERT INTO table (number, string, string) VALUES (12, 'an ID number', '32')"