php-mysql查询中变量周围的单引号

Question

Why do I see in several examples of mysql queries via php the syntax:

$q = "CREATE TABLE '$tablename' ('$t_id_name')";

or things similar to that? I'm asking about the single quotes around the variable names. Is this required in MySQL strings? If I echo the string, it seems to expand the variables whether the quotes are there or not.

And would this pose a problem if this were done for something that was intended to be an integer?

Answer 1

To answer your question, the quotes are necessary, but not to expand the variable. A typical SQL query would look like this:

$q = "SELECT * FROM `table` WHERE `first_name` = 'user3475234'";

Now, consider the following example:

<?php
$tablename = "users";
$user = "user3475234";

$q = "SELECT * FROM `$tablename` WHERE `first_name` = '$user'";

echo $q;

This will display: SELECT * FROM `users` WHERE `first_name` = 'user3475234' . Note that the quotes weren't necessary to output the string, but they were a necessary part of the query.

That being said, code like this opens your script to SQL injection. I won't explain too much about it, since there are plenty of resources discussing it, but consider the example where someone's username is user3475234' OR 1==1-- . This username will effectively return all users in the table.

Answer 2

You must use backticks (`) for field or table name especially if the field or table name are same with mysql command. And you need to use single-quote (') for value.