php - single quotes around variables in mysql queries -
why see in several examples of mysql queries via php syntax:
$q = "create table '$tablename' ('$t_id_name')"; or things similar that? i'm asking single quotes around variable names. required in mysql strings? if echo string, seems expand variables whether quotes there or not.
and pose problem if done intended integer?
to reply question, quotes necessary, not expand variable. typical sql query this:
$q = "select * `table` `first_name` = 'user3475234'"; now, consider next example:
<?php $tablename = "users"; $user = "user3475234"; $q = "select * `$tablename` `first_name` = '$user'"; echo $q; this display: select * `users` `first_name` = 'user3475234'. note quotes weren't necessary output string, necessary part of query.
that beingness said, code opens script sql injection. won't explain much it, since there plenty of resources discussing it, consider illustration someone's username user3475234' or 1==1--. username homecoming users in table.
php mysql syntax quotes
No comments:
Post a Comment