What’s the difference between '(quotation marks) and '(quotation marks)?

Asked

Viewed 469 times

0

Good guys, I want to know the difference of a value wrapped with '(quotation marks) and value without '(quotation marks).

Ex: 

SELECT * FROM dados WHERE nome = $nome (valor sem uso das aspas)
SELECT * FROM dados WHERE nome = '$nome' (valor com uso das aspas)
php mysql query

  • It will be better if you exemplify where you saw each one.

  • Anderson, I haven’t seen it anywhere, I just have this doubt myself, since I use the '(quotes) and I don’t know what it’s for.

  • 1

    Hello, if you use without quotation marks, it will only work for numbers,in the above case, as it is text, it is necessary to use simple quotation marks,for the bank to understand where the value begins and ends. I also recommend that search sopre bind params, because this way, your query is not protected against sql Injection.

  • So, in case I am pentester (Offensive Security) and for a while now, I am studying about safe development (Defensive Security). I am now testing exactly the Sqlinjection, and I ended up getting in doubt of the use of the quotes. Thank you for clarifying.

1 answer

2


You’re probably talking about a sql query made with php. Usually when you use string type values in sql query, they should be in quotes ', already numeric values do not need. Example with sql (query executed directly in the database):

SELECT * FROM dados WHERE nome = 'João' AND idade = 12;

When you write the query from a programming language, you will not always need to quote explicitly. For example, in php, using PDO, you can either quote explicitly, or use the prepare statement feature to not use it.

Example of using quotation marks:

$nome = 'João';

//ao colocar a variavel diretamente no meio da consulta, o valor da 
//da variavel nome não ficará entre aspas
//será algo como: SELECT * FROM dados WHERE nome = João AND idade = 12
$pdo->query("SELECT * FROM dados WHERE nome = $nome AND idade = 12");

//Enquanto o correto (sintaxe sql) devia ser
//SELECT * FROM dados WHERE nome = 'João' AND idade = 12
//que pode ser obtido assim
$pdo->query("SELECT * FROM dados WHERE nome = '$nome' AND idade = 12");

//embora a forma de concatenar as aspas possa variavel
//pode ser feito assim também (fazendo o escape da aspa com \)
$pdo->query(
'SELECT * FROM dados WHERE nome = \'' . $nome . '\' AND idade = 12');

//Ou você pode omitir a aspa usando prepare statement
$statement = $pdo->prepare(
'SELECT * FROM dados WHERE nome = :nome AND idade = :idade');
$statement->execute([':nome' => $nome, 'idade' => 20]);

Browser other questions tagged php mysql query

You are not signed in. Login or sign up in order to post.