6
With aces to query is safer or less?
$Query = "Select * from `tabela` WHERE `id` = `1`";
vs
$Query = "Select * from tabela WHERE id = 1";
2 answers
12
With regard to safety, no, backticks has no involvement with security.
The backticks are used if you use any mysql reserved word or when there’s room.
The first example of the link already goes straight to the point:
mysql> CREATE TABLE interval (begin INT, end INT);
ERROR 1064 (42000): You have an error in your SQL syntax ...
near 'interval (begin INT, end INT)'
mysql> CREATE TABLE `interval` (begin INT, end INT);
Query OK, 0 rows affected (0.01 sec)
11
It depends. If you know what you’re doing, either. If you don’t know, the first is better, so you avoid conflicts that may arise and you don’t know how to resolve them. Some programmers adopt this form by default, others adopt the second form and only when it needs to use the backtick, the correct name of this, is that it uses it.
It’s no longer safe to do that, safety comes from correct practices. This helps avoid certain types of conflicts or inconsistencies, such as using characters that might confuse the syntax of query, space for example, or reserved words. If you know and organize well the names of things, it does not help much.
In some cases can help in safety and avoid SQL Injection but do not count on this to solve this problem, this measure can be circumvented. The feature was not invented to solve security problems.
It is good to know that this form is not available in all databases. If you need to use the query for another, you may have problems. But if you need this feature, you will probably have several others.
-
1
What is wrong with the answer? Or was it a strategic negative vote?
-
1
It was bad, I forgot to give the reason. It was not strategic ahahah It was because in my opinion it really is a wrong answer, why not Depends there is a clear reason for the use of
backticksand it’s also not a matter of some programmers adopt this form by default, again, there is a clear reason for its use, it is not a matter of standard but of necessity. If you don’t know, you better do it first, doesn’t make any sense. =) -
As you said, this is your opinion. Maybe you don’t know that many programmers always use to avoid problems. And they do it because they don’t know what they’re doing. The fact that you don’t know it doesn’t make the answer wrong. Yours is more wrong because the question speaks safely and you don’t bring it up. You tweaked an excerpt of the text to take it out of context and make it look like it’s wrong. The only thing that got weird is that I didn’t finish the sentence. I added the example to make it clearer than I’m talking about, but I talked about the problem you refer to.
-
I understand your point of view but still disagree :) What kind of problems a programmer avoid using
backticksis not the only reason they exist? If the programmer doesn’t know what he’s doing, he’s not doing it, he’s copying it, which in itself is a big mistake, if he doesn’t know, the programmer should read it and understand it. My answer is no longer wrong because it explains the real use ofbacktickswhich in this case has nothing to do with security, so I did not touch on the subject. The question is understood that the user does not know the use ofbacktickhence my answer, rather than... -
continue prolonging your * And they do this because they do not know what they are doing* I explained to him why they use or not
backticks, just for this reason I already consider my answer correct, because instead of keeping the user in the Depends or other superficial explanations, I explained what it really is about. -
I’m not criticizing you or wanting to attack you okay? Don’t get it wrong, it’s a matter of opinion :)
-
But that’s what almost every programmer does. That’s exactly what I’m saying. But you’d rather understand what you want. You want to ignore it, ignore it. The question is about safety, not what the backtick. You have decided on your own to think that he does not know what this is. You can even say what it is, no problem. I also said, correctly, nothing wrong. But he asked about security. I answered within the context of the question, you gave a generic answer about the resource. You just didn’t like my answer, which is no reason to negative. But if that’s your opinion...
-
1
Without entering into the discussion, but I believe that the answer addresses all the points and counterpoints of the use of
backticks. Negative opinion on account of depend on or not of use, it is somewhat radical. -
Why only Mysql (as far as I know) makes use of this feature? I see many codes that make use, but if they do not imply anything of security, only in the eventual use of a reserved word, what is the true usefulness of these
backticks? -
@bruno101 have no idea
-
@Maniero, I do not know if your answer can be useful, but it is a practical example that the use of backticks prevents SQL injection see https://paiza.io/projects/gL1_oz-MXlP5p-dW4hZkg?language=mysql
-
It’s just a comment, because you can get around it.
Browser other questions tagged mysql sql security-guard
You are not signed in. Login or sign up in order to post.
In case of spaces can not use quotes? Alias, as far as I know, never seen a column with space in the name.
– bruno101