mssql_query weird behaviour : automatically removes double-quotes around column value (and the column type is “integer”)?

Question

I can´t find an explanation to this behaviour (SQL Server 2008 + PHP 5.2.14)

-This piece of code works ok:

$query=' select id from News..news where id="727" ';
$conn=mssql_connect("myDDBBServer","user","password");
$idQuery=mssql_query($query);
$row=mssql_fetch_array($idQuery);
echo $row[0]

I have to say that id is an int typed column, so if you copy and paste that query on the sql server query console, you get the following error: "The column name '727' is not valid".

I have no idea why is working via mssql_query, it seems like the php_mssql driver is removing those double quotes... I´m sure it has to do with php_mssql driver and not some other php.ini property, because if i execute that query using the php_sqlsrv driver i get the same error as through the sql server query console ("column name not valid").

Any help would be appreciated.

Answer 1

See SET QUOTED_IDENTIFIER in Books Online. When it's set to ON then double quotes are interpreted as marking an identifier ; when it's OFF then double quotes mark a literal value. ODBC and OLE DB set it ON by default, but different libraries can do what they like and you can set it explicitly yourself if you need to.

The bigger picture is that you shouldn't be embedding literal values in your SQL anyway. Instead, you should be using parameterized queries (however they work in your particular client library) because it avoids issues with SQL injection, quoting and data type conversion.